Atlanta Hawks Fall Prey to Magecart Credit Card Skimming Group (Apr 25, 2019)
Researchers at Sanguine Security have identified payment skimming code on the Atlanta Hawks merchandise site, on or after April 20, 2019. Customer information including name, address and credit card details were stolen using keylogger malware. MageCart, an umbrella term that refers to groups that specialise in stealing payment information from e-commerce sites, specifically sites using Magento, are reportedly behind the attack. Using a skimmer, the group logged visitor keystrokes and sent the information to the domain "imagesengines[.]com." Researchers believe they may have gained access through a third-party component on the website. The Atlanta Hawks site disabled all payments to prevent further information from being stolen in response.
Recommendation: Payment card information should only be provided to trusted vendors sites. Read bank statements carefully to check for any unauthorised behaviour, or contact your bank if you suspect you may have had your credit card information stolen. Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.