The LCBO disclosed a cybersecurity incident in January 2023 involving a web skimmer designed to steal customer payment information from LCBO.com during checkout. Experts identified the skimmer as Magecart, loaded via a Base64-encoded Google Tag Manager snippet and communicating covertly over a websocket. #Magecart #LCBO #MagentoCDN
Keypoints
- In January 2023, LCBO reported a web skimmer incident affecting LCBO.com checkout and payment data.
- The skimmer was identified as Magecart, injected through a Google Tag Manager (GTM) snippet encoded in Base64.
- The attackers loaded the skimmer via a websocket rather than a typical HTTP request, increasing stealth and evasion.
- The skimmer domain used was magento-cdn.net, registered recently before the attack.
- The malicious code targeted checkout pages where personal and payment information could be captured.
<liData potentially stolen included names, addresses, Aeroplan numbers, LCBO account passwords, and credit card details; compromised records were linked to January 5–10, 2023.
<liMitigation advice included CSP/SRI, third-party resource integrity checks, and consumer precautions like monitoring card statements and using browser safeguards.
MITRE Techniques
- [T1071.001] Web Protocols – The attacker used a websocket for communication to covertly exfiltrate data. Quote: ‘loading the skimmer code via a websocket, instead of a more typical HTTP request.’
- [T1036] Masquerading – Malicious code injected was disguised as legitimate snippets such as Google Tag Manager. Quote: ‘injecting malicious code disguised as legitimate snippets such as Google Tag Manager.’
- [T1199] Exploitation of Trusted Relationships – The attack leveraged a legitimate Google service (GTM) to host scripts, abusing trust in third-party infrastructure. Quote: ‘the abuse of this legitimate Google service has been ongoing because it provides attackers free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection.’
Indicators of Compromise
- [Domain] magento-cdn.net – used to host the Magecart skimmer
- [Domain] lcbo.com – target site where checkout occurs (online store domain)