[BreachExchange] MyPillow and Amerisleep Targeted in Magecart Group Attacks

Destry Winant destry at riskbasedsecurity.com
Mon Mar 25 10:58:51 EDT 2019


In both breaches of MyPillow and Amerisleep, the customers whose
payment information was potentially stolen were not informed.

The Magecart threat group continues its offensive with two newly
disclosed breaches targeting bedding retailers MyPillow and

The group attacked the two companies with online payment credit card
skimming attacks, researchers with RiskIQ said on Wednesday. While
MyPillow removed a skimmer impacting its website, Amerisleep has yet
to remove the malware and the breach is ongoing despite numerous
attempts by researchers to contact the affected retailer. In both
cases, the consumers, whose payment information was potentially
stolen, have yet to be informed, according to researchers.

“Magecart has capitalized on the fact that the security controls of
small companies who provide services to enhance the websites of global
brands are far less developed than the security controls of the global
brands themselves,” said RiskIQ’s threat researcher, Yonathan
Klijnsma, in a post.

Klijnsma told Threatpost that while he does not know how many could
have been impacted, services like Similarweb show that Amerisleep has
half a million visitors every month; while MyPillow has around a
million visitors per month – meaning the impact could be

Magecart, which has made headlines over the past year for high-profile
breaches of companies like VisionDirect, Ticketmaster and more, is
known for its use of web-based, digital card skimmers, Magecart uses
scripts injected into websites to steal data that’s entered into
online payment forms on e-commerce websites directly or through
compromised third-party suppliers used by these sites.

In this most recently disclosed case, the threat group has turned its
attention to the online ecommerce platforms for two popular bedding


Magecart first targeted MyPillow’s e-commerce platform in October 2018
with a series of different attacks, intending to steal payment
information via its online website (mypillow.com), researchers said.

Attackers first used a typo-squat method (adding a typo to a fake
domain to make it seem real), registering mypiltow[.]com, which looked
like the primary domain of MyPillow and was covered with an SSL
certificate. They then injected a script, containing a heavily
obfuscated skimmer, into the fake webstore and scraped up payment card
info entered onto that site by visitors who were fooled into thinking
it was MyPillow’s legitimate site.

While this domain was quickly identified as illicit, “Based on what
RiskIQ sees typically, this type of domain registration typo-squatting
means that the attackers had already breached MyPillow and started
setting up infrastructure in its name,” Klijnsma said.

In their second stage of the attack, attackers then registered a new
domain, livechatinc[.]org, and hid this domain within the legitimate
LiveChat script, which is an existing service that MyPillow uses, in
MyPillow’s site.

“The attackers played a brilliant game the second time they placed a
skimmer on the MyPillow website, adding a new script tag for LiveChat
that matched a script tag usually inserted by the LiveChat scripts,”
said Klijnsma.

The last time researchers observed a skimmer active on the MyPillow
website was Nov. 19 – since then, they haven’t observed newly
registered domains for attacks on MyPillow.

Mike Lindell, CEO of MyPillow, meanwhile confirmed to Threatpost that
there was an “attempted breach” on MyPillow.

“I can confirm there was an attempted breach on the mypillow.com
website on October 5th,” he said. “It was caught immediately. MyPillow
hired a third party to investigate. They found no indication that the
breach was effective or that any customer’s information was
compromised. MyPillow reported the attempted breach to the authorities
and has increased security on our website. Our customers and their
security are my number one priority.”

However, Klijnsma told Threatpost, “this statement is absolutely false
as we observed live skimmers on the webpage which would have worked to
steal (skim) information.”


The first indication of compromise on the Amerisleep websites started
back in April 2017, researchers said. The mattress company has both
physical stores in the US, as well as an online sales platform on

Magecart first injected malicious scripts on Amerisleep’s website,
attempting to make away with credit cards – and this attack lasted for
half a year, ending in October 2017. Then, in December 2018, Magecart
attacked again. The group set up a Github repository under
Amerisleep’s name, and used that to host several scripts and inject
those into the Amerisleep website.

“In December 2018, the attackers had used a new skimming setup with a
fascinating new method. The attackers abused Github by registering a
Github account called “amerisleep” and creating the Github Pages
address amerisleep.github.io.” said Klijnsma.

With help from Github, meanwhile, researchers with RiskIQ took down
the Github repository and the Github Pages account.

The actors then quickly abandoned the Github  approach and instead
focus on injections through their own custom domains.

Starting in January, researchers observed a different skimmer that
Magecart actors injected. That skimmer is still operating: “Attempts
to inform Amerisleep through their support desk and directly via email
has gone unanswered,” researchers said.

Amerisleep has not yet responded to a request for comment from Threatpost.

Moving forward, retailers need to be further educated about Magecart
and how to better secure their e-commerce platforms. However, when it
comes to safeguarding websites, “there is, sadly, not just one
answer,” Klijnsma told Threatpost.

“Just like with normal security its about a layered approach,
protecting on the server-side of the payment platform to secure it as
well as externally on the public side,” he told Threatpost. “It’s
mostly about setting up barriers and making sure at least one of those
will trip up the bad guys, there is not one simply solution to
Magecart attacks rather its a whole variety of techniques to block or

More information about the BreachExchange mailing list