
Hmmm...
Well-known CMS in which vulnerabilities are discovered at a rate much faster than they can be patched, and each patch introduces new vulnerabilities?
Graphics tablet maker Wacom has warned customers their credit card details may well have been stolen by miscreants while they were buying stuff from its website. We're told people's payment information was likely pilfered from the biz's online store between the end of November and early January, and that if you get a message …
I know a lot of people really do not like PayPal and with good reason but I would buy almost nothing online without it. I'm not going to type my CC number into a website unless there no other choice and it's an absolutely essential purchase. There are so many different links in the chain from my browser to the CC provider and I don't trust them all. I might even have a keylogger running on my device. Also, websites that offer to store my card details, for my convenience, can put that offer somewhere unpleasant.
As the article implies this is probably a CMS breach but I find it sad that the Wacom checkout page loads scripts from:
commerce.adobedtm.com
cdn-4.convertexperiments.com
connect.facebook.net
cdn.gigya-ext.com
www.google.com
cdn.jsdelivr.net
js.klarna.com
consent.trustarc.com
unpkg.com
static.zdassets.com
www.googletagmanager.com
static.hotjar.com
We did receive such an email on Jan 27, and yes, there were bogus charges being "investigated" by the bank belonging to the card used for a purchase on the Wacom site around the end of November.
The fraudulent purchases themselves were dodgy - exact dollar amounts rounded to the hundred - and it looks like at least in our case at least two groups were using the card info, as the first hit was toward the beginning of January with subsequent hits spaced some days apart, but in the middle of that there was a charge then a reversal the next day, as if someone else was testing, perhaps gearing up for more charges.
It makes me wonder just to what lengths the bank would go to catch these criminals. The items would have been shipped somewhere. Some may still be in transit. Perhaps the FredEx delivery driver coming to your door could be a police officer.
A bit more labor, but one thing that would stop this fraudulent activity in its tracks is a "one-time" card number issued by the bank, with a specific dollar amount on it (plus maybe a little more padding for extra shipping, etc.). You'd get into your credit card account, enter the purchase amount and site from which the product is being purchased, and be given a customized card number & one-time code to use at checkout.