Procter & Gamble’s “First Aid Beauty” Online Store Compromised by Credit Card Skimmer

Last updated October 26, 2019
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

If you have bought anything from Procter & Gamble’s "First Aid Beauty" online store lately, chances are that your credit card details were stolen. According to the details that have surfaced after the Sanguine Security researcher, Willem de Groot made the relevant publication, the MageCart script that was planted on the online store's website was targeting U.S. citizens, and only Windows and macOS users. This means that if you’re located elsewhere in the world, or if you’re using Linux, the skimming script isn’t activated. Willem de Groot believes that the reason for this is because most researchers use Linux, so it’s a method to avoid detection.

P&G bought First Aid Beauty in July this year for a reported $250 million, but the researcher found that the script was hiding in the website’s code since May 5th. The first contact to alert the website owner of the problem was made last week, and after receiving no response, the researcher tried multiple times to no avail. This led him to contact Bleeping Computer and spread the word about the incident as this was a critical security matter for many thousands of potential customers. The website is very popular, holding an Alexa traffic rank position of 140k.

The script itself was heavily obfuscated and featured encryption. This, in combination with its victim filtering, indicates that it is the work of experienced actors. All that definitely played a crucial role in how the skimming script managed to fly under the website’s admins radars for so long. As for what info it can steal, this includes the full credit card number, the expiration date, the name of the card owner, and the CVV code. That is all that a malicious actor would need in order to make purchases and carry out payments using the stolen data.

FirstAidBeauty-MageCart

Source: Bleeping Computer

Right now, the First Aid Beauty website is offline (error 503), probably due to an in-depth review that is going on by P&G’s IT teams. Moreover, they have provided the following comment to BC: “Consumer trust is fundamental to us, and we take data privacy very seriously. As soon as we learned about the compromise of the First Aid Beauty site, we moved quickly to take the site down and minimize the impact on our consumers. We are currently investigating the source of the malware and working to identify and notify those consumers who might have been impacted to ensure we provide them the necessary support.”

Are you buying stuff on the internet using your payment card, or do you prefer alternative payment methods? Let us know in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: