Threat Management, Malware, Network Security

Magecart hackers force turnover, steal data from Atlanta Hawks’ online shop


Cybercriminals using Magecart card-skimming code attacked the online store of the NBA's Atlanta Hawks, stealing customers names, addresses and payment card numbers.

The Sanguine Labs team at Sanguine Security identified the offending code on the store's checkout page on Saturday April 20, according to a post on the security company's website. But research from RiskIQ following this public disclose revealed that the website,, had been compromised far longer than that.

"The first time we detected skimming code on the website was June 6th of 2017, RiskIQ threat researcher Yonathan Klijnsma, Threat Researcher told SC Media. "The compromise wasn’t targeted however, it was one aimed at hundreds of websites at the same time."

In an April 23 article, CNET reported that an Atlanta Hawks team representative said the malware is no longer active on the site. However, in a tweet published one day later, Sanguine Labs' lead forensic analyst Willem de Groot responded to this claim by asking "Is it?" and displaying an image of apparent Magecart code, which suggests the problem code still remained.

As of 1 p.m. ET on April 24, was temporarily down for maintenance, presumably to fix the issue. But de Groot told SC Media that this response only occurred very recently, after his tweet had been published.

"This week, I had reached out to the customer service, and also to their CRO, CIO and director of IT, but have not heard back since, de Groot," said to SC Media.

"We take these matters of security and privacy extremely seriously," said a statement sent to SC Media by the Hawks' organization. "Yesterday, we were alerted the host site for was subject to an isolated attack. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident. At this stage of the investigation, we believe that less than a handful of purchases on were affected. We are continuing to investigate and will provide updates as needed."

The statement did not address any of the other points of contention referenced by de Groot. runs on Adobe's Magento Commerce Cloud 2.2 e-commerce system. Sanguine Labs suspects the intruders may have compromised the system via an insecure third-party component.

Sanguine researchers also linked this incident to malicious domain, where stolen customer information was exfiltrated. The domain was very recently registered on March 25, 2019.

The Magecart threat has grown in prominence over the last year, especially after attackers struck several big-name targets, including Ticketmaster UK, British Airways and Newegg.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.