Experts On American Cancer Society’s Online Store Infected With Credit Card Stealing Malware

By   ISBuzz Team
Writer , Information Security Buzz | Oct 29, 2019 11:14 am PST

News broke yesterday evening that The American Cancer Society’s online store has become the latest victim of credit card stealing malware. A security researcher found the malware on the organisation’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page. The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Deepak Patel
Deepak Patel , Security Evangelist
October 29, 2019 7:49 pm

Magecart attacks are more common than originally estimated. We have now seen attacks across many industries —airlines, e-commerce, fashion and beauty, and retail — irrespective of company size. It is clear these digital skimming attacks that compromise third-party vendor code and harvest personally identifiable information (PII) from unsuspecting users are not going to stop anytime soon.

In this new low for attackers, targeting the American Cancer Society, the attacker injected the malicious code and hid it behind Google tag manager. The only reason this attack was discovered was due to a security researcher scanning sites and also because the code was inserted twice.

To restore user confidence, website owners should take a new approach to client-side attacks and monitor the third-party code execution on their sites in real time, tracking its actual behavior. Relying on traditional forms of web security like Web Application Firewalls (WAFs) would not protect against Magecart attacks that bypass the website owner’s infrastructure.

Last edited 4 years ago by Deepak Patel
Mounir Hahad
Mounir Hahad , Head
October 29, 2019 7:46 pm

The attackers had a way to compromise the server and modify its code manually. It is unfortunate that this kind of attack is still succeeding even though a mitigation is quite straightforward. As a last resort, website owners should periodically check the integrity of their script code, which can be as simple as calculating a checksum every few minutes to look for an unexpected change.

Last edited 4 years ago by Mounir Hahad
Jonathan Deveaux
Jonathan Deveaux , Head of Enterprise Data Protection
October 29, 2019 7:40 pm

As the history of recent data breaches have shown, even non-governmental organizations (NGOs) and similar organizations are targets for data theft. If your organization accepts web-based payments, your security team should be on full alert for Magecart skimming attacks. Companies can improve their webpage monitoring, file integrity checking, and blocking of untrusted external sources to defend against this type of sophisticated attack. Additionally, organizations can deploy data-centric security, which can anonymize sensitive data at its earliest point of entry into their enterprise, which is a major step to dramatically reduce risks associated with data breaches and sensitive data exfiltration.

Last edited 4 years ago by Jonathan Deveaux
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
October 29, 2019 7:31 pm

The sabotage of the American Cancer Society shows that no organisation is immune from challenges of cybersecurity. Every organisation has something of value. Cybersecurity is all about finding the balance between that value and the effort required to steal or attack it. The goal is to make the cost of an attack greater than the value that can be stolen. Cyber-attacks are particularly popular because the risks are low, the level of effort is often low, and rewards are high. The best thing defenders can do is ratchet up the level of effort for an attack to the point where potential attackers turn their attention elsewhere.

Last edited 4 years ago by Jonathan Knudsen
Sam Curry
Sam Curry , Chief Security Officer
October 29, 2019 7:20 pm

The hackers have a machine that is ready to grind up identities, and they will point it at the industries, countries, and organisations that give them the fastest path to the most money with the least cost and risk. Not-for-profit organisations often have the least resources for support functions, like security, and in the old days of hacking were considered inappropriate targets. Once upon a time, hackers didn’t attack “muggles,” to borrow from JK Rowling’s Harry Potter lexicon. Not so anymore with the almighty dollar dominating the dark side. Everyone can have vulnerabilities and weaknesses, but the American Cancer Society breach should be a wake-up call to everyone: if you aren’t improving your security posture and hygiene constantly, it’s a question of when, not if, the great credit card fraud machinery of organised cybercrime comes for you.

Last edited 4 years ago by Sam Curry

Recent Posts

Would love your thoughts, please comment.x