Cybersecurity researchers at RiskIQ discovered the two newly identified Magecart attacks targeting the bedding retailers MyPillow and Amerisleep. Magecart is a term used to describe different hacking groups specialised in implanting malicious code on the e-commerce websites. The Magecart injected the digital card skimmer on their websites to steal payment information at the checkout page.
It’s a bed breach and beyond.https://t.co/UykuBmPYwq
— CNET News (@CNETNews) March 20, 2019
Expert Comments Below:
Rusty Carter, VP Product Management at Arxan Technologies:
“The MyPillow and Amerisleep breaches are another two to add to the long list of businesses continuing to fall victim to Magecart and web vulnerabilities that turn eCommerce sites into delivery mechanisms for data stealing malware. In these particular cases, the Magecart hackers were on their websites for several months, with MyPillow first being hacked on 26th October, and Amerisleep being first accessed by hackers almost two years ago, in April of 2017, according to RiskIQ’s research.
Consumers continue to become the victims of theft due to web vulnerabilities, especially those running in the browser, and go undetected by businesses for extensive periods of time, as demonstrated by both MyPillow and Amerisleep. The long-lasting effects of theft against consumers is met with minimal corrections from many businesses and a lack of accountability.
With GDPR and other privacy and data protection regulations coming into effect, it is disappointing to see breach after breach affecting consumers and their private information, but it shows that the traditional security approaches are insufficient to properly protect consumers and their data. Businesses need to protect the applications that customers interact with, where they are most vulnerable (in the user’s machine / browser) and not just in the datacentre. If businesses want to sleep well at night and know they are keeping consumer data safe, they need to be bumping website and application security to the top of their agenda.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.