Major e-cigarette store hacked to steal credit card details

(Image credit: Pickawood / Unsplash)

Element Vape, a popular online retailer selling e-cigarettes and accompanying accessories, has had its website compromised and loaded with the popular credit card skimmer, MageCart.

The news was revealed by BleepingComputer, whose analysts investigated the website’s code, and found the skimmer on the checkout page. The skimmer was stealing information such as email addresses, credit card numbers and expiration dates, phone numbers, billing addresses, and street and ZIP codes.

As soon as the existence of the skimmer was confirmed, the publication notified Element Vape, which reacted promptly, eliminating the malicious code from its website on the same day.

Recent attack

How the code ended up on the webpage in the first place remains a mystery, and it's hard to tell if any of the company's endpoints were infected with malware.

The name of the threat actor is also unknown. The publication says the data stolen gets exfiltrated to an obfuscated, hardcoded Telegram address.

What the investigation did discover is that the attack is most likely of a newer date, as the code wasn’t present on the site in early February this year.

> MageCart attacks return to target hundreds of outdated ecommerce sites

> Retailers using WooCommerce are the next target for Magecart card skimmer attacks

> Magecart attacks hit thousands of UK SMBs ahead of Black Friday

Element Vape has been attacked before, BleepingComputer says. Back in 2018, it notified its customers of potentially leaking personally identifiable information (PII) to unknown threat actors.

The consumers filed a lawsuit, claiming the company did not notify affected individuals on time, and did not do all it could to prevent the incident from happening in the first place. The lawsuit was followed by a class-action one in 2019, demanding a trial by jury.

While the community’s response to Element Vape seems to be mostly positive, across social media, there are a few potential red flags, BleepingComputer hints. For example, in some U.S. states, it’s known as TheSY LLC, and has a Twitter userbase of 13,000. However, its tweets are protected, which is not what you’re used to seeing from a company.

Element Vape is yet to comment on the findings. Customers interacting with the company are advised to keep both eyes on their credit cards, for suspicious transactions.

You should also check out our list of the best firewalls right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.