[BreachExchange] Hackers hit Atlanta Hawks shop with malware that steals credit card information

Thu Apr 25 08:39:18 EDT 2019

https://www.cnet.com/news/hackers-hit-atlanta-hawks-with-malware-stealing-credit-card-information/

The Atlanta Hawks need to play better defense online after a security
researcher discovered malware at the basketball team's online store.

The merchandise website for the Hawks, the 12th-ranked team in the
NBA's Eastern conference, was infected with malware designed to steal
credit card information, according to Willem de Groot, lead forensic
analyst at Sanguine Security.

De Groot said he first spotted the malware April 20 and noted it was
stealing the names, addresses and credit card numbers of Hawks fans.
He said he notified the team on Tuesday.

"We take these threats seriously and are investigating," a Hawks
spokesperson said. The malware is no longer active on the site, the
representative said.

The malware represents the latest example of a credit-card skimming
scam that's gained steam over the last few years. During the last
several months, NewEgg, British Airways and Ticketmaster UK were among
the victims of the same type of attack, perpetrated by Magecart, the
world's largest credit card-skimming operation, made up of different
hacking groups.

De Groot said Magecart, which targets popular online stores with
security vulnerabilities, also hit Hawks Shop, a site for Atlanta
Hawks fans to buy hats, jerseys and other team gear.

"The frequency of hacked stores has gone down somewhat. However, the
volume of stolen transactions apparently has gone up," de Groot said.
"They seem to have shifted from hacking many small stores (automated
breaches) to manual breaches of larger, more profitable targets."

The Atlanta Hawks shop boasted 7 million visits one year, and has more
than 1.2 million followers on Twitter.

De Groot said he was able to spot the malware embedded on the Hawks
Shop website through a Magecart detection engine he developed. The
engine searches online stores for active payment skimmers. He said the
tool finds between 50 and 150 stores compromised per day.

He tested out the malware by using fake credentials to order an
Atlanta Hawks hat. De Groot said he found code on the website that was
logging his keystrokes as he entered the numbers in the payment form.
The data was sent to a domain name first registered March 25 and
hosted by a provider popular with online criminals.

"The Magecart signature theft is to steal payment data, right when a
customer enters them. Because at this stage, nothing has been
encrypted yet, and the typical customer has no way of knowing that his
data get siphoned off," he said in a message.

It's still unclear how the hackers gained access to the Hawks Shop
website, but de Groot said it's likely they didn't have to. In
previous attacks, Magecart was able to compromise third-party tools
and use them to infiltrate the shops.