2019 Magecart Timeline
We break down the timeline of the number one threat to ecommerce sites today – Magecart! This timeline includes all the significant Magecart attacks in 2019. With 4,800 formjacking attacks each month alone, this timeline only represents a small proportion of attacks reported in the public domain in 2019.
Detect Web-skimming, Formjacking, and Supply Chain attacks before a Data Breach occurs with Magecart detection.
The first significant attack reported in 2019 was on Discount Mugs who were hacked for four months from August 5th to November 16th 2018. Malicious code was injected onto the payments page, siphoning details to an external server. Although the company did not disclose the number of customers affected, Discount Mugs ranks in the top 10,000 sites in the U.S., bringing in thousands of customers every day.
On January 7th, Bleeping Computer reported a data breach on United States-based kitchen utensil manufacturer OXO. In a data breach notification, OXO disclosed that their site had been infected numerous times over two years. OXO stated that between June 9th – November 28th 2017, June 8th – 9th 2018, and July 20th – October 16th 2018 their site was compromised and an unauthorised third-party were stealing payment details. OXO hired a third-party security firm to investigate the server and fix any vulnerabilities that were present and now use a Magecart Detection tool to mitigate future attacks.
ZDNet reported Paris-based advertising company, Adverline was hacked with malicious code which then infected 227 websites. The attack was present from November 2018 and was still present two months later as of January 16th. The malicious code delivered through Adveline’s ads performed a page URL check with keywords found on checkout pages. This attack is believed to belong to a new Magecart group – Group 12.
In an email to customers, Topps.com, a sports trading card site revealed a Magecart attack on their website. On December 26th 2018, Topp’s became aware of an unauthorised third-party attack on their website. A malicious script was added to their website on November 18th 2019 and remained until January 9th 2019. When loaded, the malicious script (http://creditprop[.]com/checkout) would capture payment information entered into the site and send it to a remote site. Upon investigating this attack, Security Researcher Yonathan Klijnsma explains that Magecart Group 4 were responsible for this attack.
MyPillow and Amerisleep
The Hacker News revealed two Magecart attacks on bedding retailers MyPillow and Amerisleep. The MyPillow attack occurred in October 2018 when a skimmer was hosted on a typosquatting domain (mypiltow[.]com). The attacker then directed the attack from a different angle, as the domain livechatinc.org was registered imitating the legitimate chat function, Livechat, which MyPillow use. MyPillow CEO Mike Lindell confirmed the breach stating: “(MyPillow) found no indication that the breach was effective or that any customers’ information was compromised.” The skimmer was active until November 19th 2018.
Amerisleep were targeted by Magecart several times in 2017 but became a victim once again in December 2018 when attackers hosted malicious skimmer code in a Github account (amerisleep.github[.]io). Their most recent attack occurred in January 2019 in which the attacker made sure the skimmer was only injected on the payment pages.
Springtime arrives and so do Magecart attacks on growing websites. In April, it was revealed that at-home garden kit company, AeroGrow were infected with a skimmer on their site for more than four months. The company disclosed that their site was compromised from October 29th 2018 to March 4th 2019, however, no further details were given on the number of customers affected.
CNET reported an attack discovered by Willem De Groot on the Atlanta Hawks website on April 20th. Bleeping Computer explained when a customer checked out, the script made an additional request to the malicious domain imagesengines[.]com. The domain was registered on March 25th, which shows the planning behind these types of attacks. Although the number of affected customers is unknown, the Atlanta Hawks shop claims to have 7 million hits per year.
On April 29th, IT News reported an attack on Puma Australia’s website. Willem de Groot discovered the attack five days earlier and explained that despite notifying Puma’s Australia, the site continued to be infected by Magecart malware. The attack took advantage of an out of date version of Magento running on Puma Australia’s website. The stolen payment details were sent to a server in Odessa. It is unknown how many customers this affected however it was a regional-based attack.
Mirrorthief College Stores
Picreel & Alpaca Forms
Over 4,600 websites using third-parties, Alpaca Forms and Picreel were affected by a supply-chain attack. 1,249 websites were infected via Picreel – an analytics service and 3,345 websites via open-source form builder project, Alpaca forms. Koddos reported “(Alpaca Forms)…was initially built by CloudCMS before being open-sourced over eight years ago. In the case of Alpaca, the hackers managed to infiltrate the CloudCMS managed CDN to modify one of the alpaca scripts.” The sensitive payment data was sent to the cybercriminal’s server in Panama. Cloud CMS have not taken ownership of the vulnerability and have suggested that a possible cause was an exploit on a known httpd vulnerability. The code was removed the same day.
French Jewellery Chain, Cleor operates 136 boutiques across France. On April 14th 2019, Netcraft reported the infection on Cleor’s website, which they discovered on the 10th. The code was injected into the website alongside a legitimate Facebook tracking script. Disguised similarly to the BA skimmer code, external domain cleor [.] co, mimicked the real cleor website domain cleor.com. The code used was also obfuscated to disguise its purpose. Netcraft explain; ‘The data sent to the dropsite is Base64-encoded, decoding it reveals a JSON array containing all of the credentials entered into the form.’ A keystroke logger stole credentials immediately when entered and not just when submitted, therefore the attack also affected customers who did not complete checkout.
Security Researcher Troy Mursch told Threatpost he noticed the compromised Forbes subscription site on May 15th. The attack was on the magazine subscription site forbesmagazine.com and not the main Forbes site forbes.com. A Forbes spokesperson states; “Forbes is fairly confident that no one was impacted by the skimmer.” Bleeping Computer explain ‘The attackers used the WebSocket protocol to exfiltrate the stolen data, a computer communications protocol which enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.’
Leicester City FC
The Register reported a payment skimmer on the Leicester City FC merchandise website which compromised the site for 11 days between April 23rd and May 4th. A formal statement from the club stated they started an investigation into the data breach. Additionally, Leicester City FC informed the Police, the Information Commissioner’s Office (ICO), and all affected customers.
Australian online fashion retailer Princess Polly suffered a Magecart attack from November 1st 2018 to April 29th 2019. On May 31st, in a Security Incident announcement on their website the company stated; “We have recently discovered an unidentified third party gained unauthorised access to our website.” Co-CEO of Princess Polly Wez Bryett states; “As soon as we became aware of this incident, we took immediate steps to investigate and confirm that our website was secure.”, and included an apology to customers. This incident affected customers on the Australian and New Zealand sites and did not impact customers on the US site.
Quest Diagnostics and LabCorp
US Medical Debt Collection company American Medical Collection Agency (AMCA) was compromised for 8 months from August 1st, 2018 to March 30th, 2019. ZDNet report that over 20 million US citizens have been impacted by the security incident. Companies affected by the attack include; Quest Diagnostics, LabCorp, BioReference Laboratories, Carecentrix, and Sunrise Laboratories. This was Quest Diagnostics second breach in under 3 years, with a previous data breach of 34,000 patients data in 2016.
AMCA’s four largest clients immediately stopped doing business with the company. Due to this loss of business, AMCA filed for Chapter 11 protection and expenses for the data breach included more than $3.8m spent on mailing 7 million individuals. An additional cost of $400,000 had been spent on IT professionals and consultants. Multiple lawsuits have been filed against Quest Diagnostics, AMCA, and LabCorp for delaying notifications and failing to protect patient data.
At the start of July, Micham took to Twitter to reveal a Magecart attack on the newspaper site, The Guardian. Jerome Segura explained how the attack took place through an old AWS S3 bucket and using the skimmer gate is wix-cloud[.]com. The Guardian never responded to the attack and it is unknown how many customers were affected.
On July 8th, Jerome Segura discovered a web-skimmer on the website of suitcase and travel accessory provider, Pelican. Segura tweeted his discovery including the Skimmer: write-cdn[.]com, 93.158.203[.]189 and Exfiltration gate: nogaron[.]com, 185.143.223[.]105, explaining in a note that “skimmer JS and gate change often”. Segura made Pelican aware of the website skimmer and the code was then removed.
On August 5th, Security Researcher Jérôme Segura revealed on Twitter that the Everlast website was infected with a Magecart skimmer. This was not the first time Everlast had malicious code on their site. In November 2018 ZDNet reported Everlast as a high-profile victim under Magecart Group 1, alongside the National Republican Senate Committee and Guess (Australia).
National Baseball Hall of Fame
Bleeping Computer reported the National Baseball Hall of Fame website had been hacked, including an infection of malicious Magecart script. The script was active for 6 months from November 15th, 2018 until May 14th, 2019. The malicious code imitated Google Analytics, however, it sent data from the shop’s billing form to www.googletagstorage[.]com. This domain is registered to an IP address located in Lithuania and has been used in other attacks in the past. It is suspected that this group is Magecart Group 4 due to similar modus operandi.
On September 12th, Bleeping Computer reported Garmin South Africa (SA) disclosed malicious activity was found on their shopping site portal. Jennifer Van Niekerk, SA Managing Director, announced: “We recently discovered theft of customer data from orders placed through shop.garmin.co.za (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through the website”. A Garmin spokesperson confirmed that their site portal, operated by a third-party, was compromised by a card skimming script which affected 6,700 South African customers.
Public transport company SEPTA had their online store compromised for 25 days. The Philadelphia Inquirer reported the attack explaining that Shop.septa.org had been infected with malicious code. The site was used to make ticket purchases and also sold SEPTA merchandise. SEPTA spokesperson Andrew Busch said, “It wasn’t heavily used.” However from June 21st to July 16th, when the site was compromised, 761 customers had their personal and financial information stolen. SEPTA shut down the affected site within an hour of discovering the attack, however, it took almost two months before affected customers were notified.
On September 27th, The Register reported that Fragrance Direct’s website has been compromised. Macclesfield-based company Fragrance Direct confirmed the attack stating; “We recently discovered that some of our user data may have been compromised as a result of unauthorised access to our website by a malicious third party”. A digital security firm was hired to investigate the incident and quickly found the source of the problem. Fragrance Direct reported the data breach to the ICO and informed affected customers.
Bleeping Computer revealed that hackers had compromised ecommerce shopping cart provider Volusion. As many as 6,600 websites may have been affected, including the popular Sesame Street website. Some websites were compromised as early as September 12th. This was an advanced attack with the attacker naming the files with a legitimate description from an API that handles cookies. Investigating the script reveals it was siphoning credit card information to another domain, also disguised to look like a legitimate analytics domain. On October 8th, Volusion confirmed via Twitter that they fixed the vulnerability on their site.
On October 16th, ABC WLOS reported a Magecart attack on the health-care provider Mission Health, which had lasted over 3 years. Mission Health is based in North Carolina and also offer health-related products on their online store, which is where the Magecart attack occurred. Mission Health announced their site had been infected with malicious code from March 2016 until June 2019.
Umbro Brasil were hacked not once, not twice but three times in October 2019. In September 2018 the popular sportswear brand were first hacked with two web-skimmers. Fast-forward to October 15th and RapidSpike’s Security Researcher discovered two new website skimmers, the second skimmer, thought to be associated with Magecart Group 9. The skimmers were removed a few days later, however, on October 21st new malicious code appeared. The hosts used (fileskeeper[.]org and mageento[.]com), were already known by RapidSpike Magecart Detection.
Procter and Gamble’s First Aid Beauty
Health and consumer mega-brand Procter and Gamble (P&G) had a 5-month long Magecart attack on one of their brands, First Aid Beauty. Willem de Groot discovered the malicious script present on the website since May 5th. Despite contacting them, a week later he still had not received a reply from them and the malicious script was still active. It is not known how many customers were affected by the malicious code – however, the site had approximately 100,000 monthly visitors in the past six months.
On October 28th, RapidSpike’s Security Researcher revealed that French fashion brand Sixth June had a skimmer on their website. The brand have 400k social followers, are featured on ASOS and have been seen on celebrities including Khloe Kardashian. The skimmer was discovered on October 23rd but could have been present before this date. The specific skimmer used has also been discovered during a wider investigation and is apparent on at least another 80 websites.
After reporting the attack to the company the previous week, there was no reply and the malicious code was still present. Finally, on October 30th the skimming code had been removed. The number of customers affected is unknown however, Bleeping Computer report the site has approximately 70,000 monthly visitors in September alone. The site was quickly re-infected and has since been spotted with additional website skimmers.
American Cancer Society
On October 28th, TechCrunch reported the American Cancer Society website as a victim of credit card-stealing malware. The code was disguised behind legitimate Google Tag Manager code. Upon customers checking out, the code searches for ‘checkout’ and then loads the actual skimming code from ‘thatispersonal.com/assets/cancer.js’, hosted in Russia. The skimmer was discovered on October 24th and was removed the following day.
Bleeping Computer reported that on November 14th, Macy’s released a Notice of Data Breach informing customers of a data breach on their site macys.com. It was revealed that on October 15th they were first alerted to a “suspicious connection” between macys.com and another website. Upon investigating this connection, the Macy’s security team discovered malicious code had been present on their site since October 7th. An unauthorised third-party added malicious code to two pages on macys.com, including the checkout page and the wallet page, accessed through My Account. Macy’s acted quickly and removed the malicious code the same day they discovered it. Macy’s have provided affected customers identity protection services for 12 months free of charge.
Smith & Wesson
On December 2nd, Bleeping Computer reported gun manufacturer Smith & Wesson’s website had been compromised by a Magecart attack. Security researcher Willem De Groot discovered the site had been compromised on November 27th with a script from the URL live.sequracdn[.]net/storage/modrrnize.js. The script was highly advanced and loaded a non-malicious or malicious script depending on whether the customer fit their target customer. De Groot also made discoveries that this Magecart group had been registering domains imitating his security company.
Sweaty Betty’s website was compromised with a payment skimmer for 9 days. Customers who shopped on the website between November 19th at 6.42 pm to November 27th at 2.52 pm may have had their personal and financial data stolen however, this did not affect customers making purchases with saved payment information, Apple Pay or PayPal. Sweaty Betty reported the incident to the Police via Action Fraud as well as the ICO.
On December 13th, Bleeping Computer reported a Magecart attack on production company, Rooster Teeth Productions. The attack was discovered on the Rooster Teeth website on December 2nd and removed the same day. The attack redirected shoppers to a fake payment form upon checkout which would send their payment details to an external server. Once customers had filled out the fake form they would then be redirected to the normal payment checkout to complete genuine checkout. The number of customers affected was never revealed.
The last Magecart attack reported in 2019 on a brand was jewellery brand, Missoma. It was reported that the brand, popular with celebrities and Royal family members, was attacked. In an email to customers, Missoma told shoppers: ‘third-party malicious software targeted the payments page of our website and inserted a code that was designed to capture information entered during the checkout process’. Specific attack dates are unknown, however, orders placed from September were affected. Missoma have confirmed that the malicious code was removed December 16th. The brand offered free credit monitoring to affected customers and have informed the relevant authorities, Information Commissioner’s Office and the UK’s data protection authority.
RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Magecart Detection would have detected every attack. Magecart detection takes less than 5 minutes to set-up and will alert you to any untrusted data on your ecommerce site.
For more information about attacks mentioned, visit out Magecart Monthly archive.