MyPillow and Amerisleep are the latest victims of Magecart gangs

Pierluigi Paganini March 20, 2019

Security experts at riskIQ revealed today that another two organizations were victims of Magecart crime gang, the bedding retailers MyPillow and Amerisleep.

Security experts at RiskIQ announced that the two bedding retailers MyPillow and Amerisleep were victims of the Magecart cybercrime gang.

The Magecart umbrella includes at least 11 different hacking crews that has been active at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Now RiskIQ published a report that discloses two new credit-card breaches associated with Magecart threat actors. Hackers stole payment card data from online bedding retailers MyPillow and Amerisleep by implanting a digital skimming code on both websites. One of the incidents has never been disclosed, the other was solved.

“In this blog, we’ll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep.” reads the advisory published by RiskIQ. “One has been resolved but was never disclosed and another is ongoing despite numerous attempts by us to contact the affected retailer. In both cases, the potential victims of credit card fraud, the consumers, have not been informed.”

Magecart skimmer

MyPillow website was compromised in October 2018, in this case, crooks inserted a skimming code on the site that was hosted on a look-alike domain (mypiltow[.]com), a typo-squat on the legitimate domain of MyPillow, and using a certificate issued by LetsEncrypt.

The skimming script remained on the website from October 1st to November 19th.

The second company hit by the Magecart gang is Amerisleep, it was targeted by same crews multiple times in 2017. The latest attack dates back December 2018, when Magecart compromised the website injecting skimmers contained on a Github account.

The latest attack against Amerisleep was discovered in January, experts noticed that the skimming scripts were injected by the attackers only on payment pages.

“In December 2018, the attackers had used a new skimming setup with a fascinating new method. The attackers abused Github by registering a Github account called “amerisleep” and creating the Github Pages address” continues the post.

“This skimming method quickly disappeared.” “Starting in January, we observed a different skimmer that Magecart actors injected with some conditional checks to ensure the script would only go on payment pages. Formerly, the skimmers themselves would check to see if they were already on an active payment page.”

Experts noticed that the skimmer domain has been taken offline, but that the injection is still live on the website as of the publishing of the report.

“Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.” concludes the report.

“Businesses need to focus on visibility into internet-facing attack surfaces and increase scrutiny of third-party services that form an integral part of modern web applications. The reputation of organizations that run payment forms online and the overall confidence of online shoppers is at stake.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking )

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment