Everlast, the renowned American boxing equipment brand, recently fell victim to a brazen cyberattack orchestrated by a cybergang associated with the world’s biggest online bank heist. The attackers infiltrated Everlast’s online shop, discreetly capturing credit card data during the checkout process. Shockingly, this vulnerability remains active as events continue to unfold.
Investigation Exposes Sophisticated Attack Techniques, Magecart Group 4 Implicated
The malware responsible for the breach was uncovered by security researcher Darius Povilaitis and further investigated by the Cybernews research team, led by Mantas Sasnauskas and Vincentas Baubonis. The attack comprises two steps, starting with the injection of code that calls out to a remote URL within the everlast.com source code.
Notably, the malicious payload was detected in bootstrap.js, a JavaScript code hosted on cardkaze.com, a potentially compromised or intentionally deceptive website. Remarkably, the hackers’ tactics include exploiting vulnerabilities from an outdated WordPress version or its plugins, allowing them to plant a trojan skimmer on the website.
The trojan skimmer is loaded throughout the payment checkout process, acting as a banking trojan to monitor users’ online activities and intercept credit card data. This sensitive information is surreptitiously sent to a Telegram channel under the attackers’ control, cleverly bypassing automated detection through obfuscation and encryption.
The attackers have adopted a no-infrastructure approach, executing the malicious payload on hacked sites. The encrypted data is instantly delivered to a private group of criminals for illicit use in financial fraud. Alarmingly, only four out of 59 security vendors currently flag the file as malicious, underscoring the cybercriminals’ sophistication.
Researchers have traced the public key used for encryption to Magecart Group 4, a notorious hacking group connected to the Cobalt Group, known for its involvement in Carbanak’s financially-motivated intrusions targeting ATM systems, card processing, and SWIFT systems. The same group has also been linked to the largest online bank heist in history.
Summary
Everlast, the esteemed American boxing equipment brand, is grappling with a high-profile cyberattack orchestrated by a cybercriminal gang tied to the world’s most significant online bank heist. The attackers successfully infiltrated Everlast’s online shop and stealthily skimmed customers’ credit card data during the checkout process, remaining undetected for at least three weeks.
Security researchers discovered a trojan skimmer loader on everlast.com, indicating an ongoing vulnerability that could continue to endanger customers’ sensitive information. The attack was attributed to Magecart Group 4, a notorious hacking group with links to the Cobalt Group, known for its involvement in extensive financial cybercrimes.
Everlast’s monthly visitor count of 282.5K mainly comprises customers from the US and the UK, presenting a significant pool of potential victims. As the cybersecurity experts continue their investigation, Everlast customers who have used the website recently must take immediate action to safeguard their financial data. Affected customers should promptly notify their banks or credit card companies, consider blocking the card, and monitor their account statements for unauthorized transactions.
In response to the cybersecurity incident, Everlast must identify the source of the skimming code, implement tighter security measures, and update its systems regularly. Immediate action is essential to protect customers from potential financial fraud and other social engineering attempts following the data breach.
“Everlast is one of the world’s leading sports brands and given that thousands of people visit their site every day, this malware will have put a huge volume of consumers at risk. The skimmer would have been undetectable to customers, so they would have entered their details freely, without ever realising they were handing them directly over to criminals. Now these details are in the hands of some of the world’s most notorious hackers, so remediation on both the customer side and the Everlast side are essential.
Firstly, Everlast must take time to improve its security posture. Malware scanning is essential today and this must be paired with proactive pen testing so weaknesses and threats can be spotted and remediated quickly. Every organisation on the planet should be taking these security steps today.
For customers, they must take time to monitor their online accounts to check for fraudulent tractions. If any are spotted, contact Everlast and ask for compensation. It is also advisable to be on guard for phishing emails related to the incident, because now that it’s public, attackers will be looking to monetise from it as much as they can, while they still can.”