[BreachExchange] Attackers Steal Credit Cards in Rooster Teeth Data Breach

Destry Winant destry at riskbasedsecurity.com
Mon Dec 16 10:14:58 EST 2019


Rooster Teeth Productions have suffered a data breach that allowed
attackers to steal credit card and other payment information from
shoppers on the company's online store.

The production company, known for its popular shows and documentaries
such as RTDocs, Crunch Time, Red vs. Blue, gen:LOCK, and Day 5,
suffered an attack that redirected shoppers to a fake payment form on

According to a data breach notification, Rooster Teeth discovered on
December 2nd that their online store was hacked earlier that day. As
part of this hack, a malicious script was injected into the store that
would cause the shopper to be redirected to a fake payment page under
the control of the attackers.

"On December 2, 2019, Rooster Teeth discovered that malicious code had
been added to the Site earlier the same day.  The malicious code
directed users entering a checkout on the Site to a spoofed webpage
where they were asked to enter payment card details in order to
complete their purchases.  This was inserted after the stage at which
users entered their shipping data.  Users who completed the payment
card details page were then directed to the real webpage, where they
were asked to complete the forms again."

This allowed the attackers to steal a customer's name, email address,
telephone number, physical address, and/or payment card information
that was submitted.

This malicious code was removed from their store on the same day.

Rooster Teeth has sent data breach notifications to customers who were
affected by this breach and are offering a free 1-year Experian
IdentityWorks subscription.

For those who were affected, BleepingComputer strongly suggests that
you contact your credit card merchant and explain the situation. You
should also monitor your statements for any fraudulent or suspicious
charges and dispute them immediately if detected.

Not a common Magecart attack

Most online store credit card stealing attacks that we have seen
recently are called Magecart attacks and involve compromising an
online store to inject malicious scripts. These scripts will then
quietly monitor for submitted credit card information and then send it
a remote 'drop' site under the attacker's control so that it can be

Yonathan Klijnsma of RiskIQ told BleepingComputer that Rooster Teeth
was affected by an attack similar to ones that were recently disclosed
in the researcher's Full(z) House: a digital crime group report.

In the attack described in Full(z) House and Rooster Teeth's data
breach notification a malicious script was combined with a phishing
page under the attacker's control to steal the payment information.

For example, below is a fake Commonwealth Bank phishing page that is
used to steal payment information from Australian customers in attacks
like this.

Fake Commonwealth Skimming page

Malwarebytes' Jérôme Segura, who first spotted the phishing trick used
in these attacks, told BleepingComputer that this attack utilizes a
variety of different phishing pages depending on the geographic region
of the shopper.

Below are a list of domains Segura stated are used in these attacks:

When a user clicked on the button to make a payment, instead of being
shown the store's normal payment page, they would be redirected to a
fake payment page pretending to be for a credit card merchant but is
under the attacker's control.

This is similar to a legitimate redirect a user may encounter when
purchasing items on stores that process payments through Google Pay or

When the shopper submits the payment information, it is transmitted to
the attacker's server where it can be collected later. The phishing
page then redirects the user back to the store's legitimate payment
checkout page where the customer will be prompted to submit the
information again.

While not a traditional Magecart attack, it does achieve the same
result. It also shows us that the attackers are constantly evolving
their operations to use new attack scenarios and methods that we must
be aware of.

More information about the BreachExchange mailing list