Magecart Monthly: Sporting Sites New Prime Target for Magecart

August 29, 2019

Georgina Grant-Muller Read Blog: 6 min

The sports market has suffered a host of cybersecurity problems from FC Barcelona Twitter account being hijacked to the FIFA data breach. Now Magecart are taking advantage of cybersecurity patches. We discuss the latest Magecart victims and the reasons why so many sports websites fall under attack.

National Baseball Hall of Fame

Bleeping Computer reported the National Baseball Hall of Fame website had been hacked, including an infection of malicious Magecart script. The script was active for 6 months from November 15th, 2018 until May 14th, 2019. Details stolen include; names, addresses and credit or debit card information, including the CVV code.

The company sent messages to their customers stating; “The National Baseball Hall of Fame values and respects the privacy of your information, which is why we are writing to advise you of a recent incident that may have involved some of your personal information. On June 18, 2019, we learned that some of your information could have been obtained by an unauthorized third-party that placed malicious computer code on the Hall of Fame web store (shop.baseballhall.org) e-commerce system. The code may have targeted certain personal information of customers who made a credit card purchase via the web store between November 15, 2018 and May 14, 2019.”

The malicious code imitated Google Analytics – however it sent data from the shop’s billing form to www.googletagstorage[.]com. This domain is registered to an IP address located in Lithuania and has been used in other attacks in the past. It is suspected that this group is Magecart Group 4 due to similar modus operandi.

Everlast

On the 5th August Security Researcher Jérôme Segura revealed on Twitter that the Everlast website was infected with a Magecart skimmer;

“#Magecart #skimmer loaded from mageento[.]com, exfiltrates data to onlineclouds[.]cloud. Victim: boxing brand Everlast’s shopping portal (everlast[.]com) Malwarebytes was blocking the exfiltration gate already. This incident was reported to the merchant.”

This is not the first time Everlast have had malicious code on their site. In November 2018 ZDNet reported How Magecart Groups are stealing your card details from online stores. In this article, Everlast are named as a high-profile victim under Magecart Group 1, alongside the National Republican Senate Committee and Guess (Australia).

Both attacks have little to no coverage on them and there have been no updates or comments from Everlast themselves.

Sports Websites Cybersecurity

In the Sports Global Market Opportunities And Strategies 2019 To 2022 Report, the Global Sports market reached a value of nearly $488.5 billion in 2018 and is expected to grow to nearly $614.1 billion by 2022. Revenue sources include: gate revenues, media rights, sponsorship and merchandising – much of which comes from the internet. Sports merchandising is expected to be the fastest-growing segment going forward at a compound annual growth rate of 7%. Similarly, The UK Sports Market 2017 – 2022 forecast The UK Sports Market to reach £10.6bn in 2022. With Sports clothing & footwear making up 55.7% of the market in 2017 and is forecast to reach 56.9% in 2022.

Magecart attacks have occurred on both sports ticketing sites and merchandise/sporting goods sites. Since the beginning of 2019, we have seen a large increase in Magecart attacks, with formjacking becoming a preferred tactic, being responsible for 71% of web-based data breaches. As these forecast reports suggest, sports merchandising sales are set to increase and therefore these high-profile sites become a key target for Magecart.

In 2015 James Hampshire wrote Professional Sports Teams are Risking a Cybersecurity Own Goal for Infosecurity Magazine; “The world of professional sport faces a significant cyber-threat, due to the data teams hold and their high profile. […] The huge media profiles of major sports teams also increases their value as targets for malicious cyber-activity.” Amongst other sports data, Hampshire explains that Hackers value “…large volumes of personal and payment card data from online retail, ticketing sales and supporter programs, all of which can be leveraged and monetized.”

Additionally, In June 2017 BBC News reported on a study in the Journal of Cyber Security Technology that News and Sports websites were ‘vulnerable to attack’. The study found that fewer than 10% of news and sports websites used basic security protocols such as HTTPS and TLS.

Some notable sports websites which have recently been attacked by Magecart include:

Title Nine: Infected from 19th May 2018 to 9th July 2018.
Topps: Infected from 19 November 2018 to 9th January 2019.
Fila: Infected from November 2018 to March 2019
Atlanta Hawks: Infected from Saturday 20th April 2019 to 24th April 2019
Leicester City FC: Infected from 23rd April 2019 to 4th May 2019
Puma Australia: Infected from 25th April 2019 to ~29th April 2019

With an increase of Magecart attacks being reported on Twitter, we also see this trend for the sports market. @mylaocoon wrote; ‘got to love it – notifying a global sports shop of formjacking/magecart malware on their shop two weeks later its still infected, no response, but my email is on now their marketing newsletter’. It is currently unknown which website this is referring to, however, with multiple security companies scanning websites every day, it is only a matter of time before Magecart attacks come to light.

Why are sports websites under attack?

The global sports market is expected to grow to nearly $614.1 billion by 2022.
Loyal fan-bases are consistently buying tickets, merchandise, and memberships.
Sports websites are notorious for little to no cybersecurity processes in place.
Any Magecart attack deployed on a poorly-configured sports site would have a high ROI for the attackers.

The combination of a high-volume of website sales and lack of cybersecurity makes sports websites an ideal target for attacks.

Remediation

As sports websites continue to grow in popularity, companies need to prepare for attacks when they occur. It is highly likely that at the time of writing this blog, multiple sports websites are currently infected with malicious code. RapidSpike currently monitor several high-profile sporting websites, in addition to Magecart monitoring, RapidSpike Performance, Assurance, Availability, SEO and Security monitors ensure sports websites are up, running fast and serving happy customers.

RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Data Breach Monitor would have detected every attack. Click here to learn more about our Data Breach Monitor.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.