Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
We’ve seen Magecart conduct numerous high-profile digital credit card-skimming attacks against major international companies like British Airways, Ticketmaster, and Newegg. These Magecart groups have won unprecedented attention for themselves.
Security professionals have Magecart firmly on their radar, but they must remember that Magecart is a continuously evolving cybersecurity threat and there are new victims all the time. At RiskIQ, we detect hundreds of Magecart incidents every day but don’t publicly document the vast majority of what we find. We only document significant events or changes in a group’s mode of operation or capabilities.
In this blog, we’ll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep. One has been resolved but was never disclosed, and another is ongoing despite our numerous attempts to contact the affected retailer. In both cases, the potential victims of credit card fraud — the consumers — have not been informed.
Note: In both breaches, only online payments were affected, not physical transactions.
MyPillow is a pillow manufacturing company the products of which sell at many different retailers. However, they also have an e-commerce platform through its online website, mypillow.com.
In October 2018, Magecart attackers breached MyPillow’s e-commerce platform with the intent to steal payment information, and it was clear that this targeted attack included some preliminary analysis of the target. On October 1st, the attackers registered mypiltow.com, a typo-squat on the primary domain of MyPillow, and setup LetsEncrypt to cover it with an SSL certificate. Based on what RiskIQ sees typically, this type of domain registration typo-squatting means that the attackers had already breached MyPillow and started setting up infrastructure in its name.
Magecart attackers then injected a script into the MyPillow web store hosted on mypiltow.com:
This skimmer was active on the website for a short period, and the domain was identified quickly as being illicit. However, the attackers seemed to have maintained their access to MyPillow, and on the 26th of October registered a new domain for stage two of the attack: livechatinc.org. This domain is fairly more interesting as it top-level-domain (TLD)-squats on Livechat, an existing service of which MyPillow made use and which uses the ‘.com’ TLD for its official site. A live support chat service that online retailers can add to their websites, Livechat is a ubiquitous sight on e-commerce websites and platforms.
The attackers played a brilliant game the second time they placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts. The Magecart attackers went even further by proxying the standard script returned from the real LiveChat service and appended the skimmer code below it:
The last time we observed this skimmer active on the MyPillow website was November 19th. Since then, we have not observed newly registered domains for attacks on MyPillow.
Amerisleep is a mattress company with physical stores across the US and an online sales platform on amerisleep.com.
The first occurrences of compromise on the Amerisleep websites started back in December 2016 and continued into 2017. Over the rest of the year, the Magecart actors managed to skim cards during transactions. It all started with injected scripts hosted on magescripts.pw:
The called out script contained an obfuscated skimmer:
This compromise held its ground for quite a long time. Here is a timetable of other observed scripts with the last one observed in October 2017:
It may seem there have been significant gaps in “coverage” of the skimmer for two reasons:
With the two factors above considered, we assume the first skimming operation ran from December 2016 until at least the first half of October 2017. After that, Amerisleep was clean of skimmers for close to a year—RiskIQ did not observe any injected skimmer tags to external domains during that time. However, in December 2018, Amerisleep fell victim to Magecart once again.
In December 2018, the attackers had used a new skimming setup with a fascinating new method. The attackers abused Github by registering a Github account called “amerisleep” and creating the Github Pages address amerisleep.github.io:
The amerisleep.github.io repository contained three files, an empty README.md file, index.html, and jquery_validator.js. The index.html file simply contained a script tag for the jquery_validator.js script:
The jquery_validator.js script contained a skimmer that was included on the Amerisleep website directly:
Here is a cleaned up it is a typical generic skimmer script:
This skimming method quickly disappeared. The actors decided to abandon the Github Pages approach and instead focus gain on injections through their own custom domains. With help from Github, RiskIQ took down the Github repository and the Github Pages account.
Starting in January, we observed a different skimmer that Magecart actors injected with some conditional checks to ensure the script would only go on payment pages. Formerly, the skimmers themselves would check to see if they were already on an active payment page.
These actors decided to move this check so that their skimmers did not inject on every page and only payment pages:
While the skimmer domain, cmytuok.top, has been taken offline, the injection is still live on the website as of this publishing. Attempts to inform Amerisleep through their support desk and directly via email has gone unanswered.
Businesses need to focus on visibility into internet-facing digital attack surfaces and increased scrutiny of third-party services that form an integral part of modern web applications. Consumers are at an increased risk of seeing their personal information compromised. Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.
With the increased efficiency of credit card-skimming groups the time it will take for a large number of consumers to have their data stolen, seemingly out of nowhere, is decreasing quickly. The reputation of organizations that run payment forms online and the overall confidence of online shoppers is at stake.
You’ve lately heard a ton of chatter from security vendors around Magecart — what it is, how it operates, and how you can defend against it. The problem is that most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. They’re copying the research of others, and some even add to the confusion by calling Magecart something completely different like “form jacking.”
Cut through the noise. Because of RiskIQ’s internet-scale visibility and ability to view a business’s internet-facing digital attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.
In the months and years to come, it is likely that new variants of these sorts of web skimming attacks will emerge, either by the current, or new Magecart groups. While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen, which widens the scope of potential Magecart victims far beyond just e-commerce. Learn more about Magecart here.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521