Atlanta Hawks store attack: MageCart credit card skimmers are back

MageCart attacks Atlanta Hawk web store and steals credential information from its customers

MageCart hackers appear to be guilty of the credential leak at Atlanta Hawks store

Most likely many have heard something about the famous Atlanta Hawks team which took the 12th place during the NBA's conference. However, the Atlanta Hawks Internet store has been leaking details relating to customers' credit cards because of notorious malware that was first discovered on the 20th of April, this year.

The ones who were responsible for such attack are known as MageCart, a cybercriminal group which uses a various system and network vulnerabilities to inject malicious payload and gather sensitive information.^[1] According to an official from Atlanta Hawks, personal information and credential details were stolen from users who have been ordering products since April 20th and after:

Online credit card thieves – also known as Magecart – have managed to inject a payment skimmer in the online store of the Atlanta Hawks. Fans who ordered merchandize on or after April 20th had their name, address and credit card stolen.

MageCart^[2] criminal group has been gathering targets all over the world. Atlanta Hawks web store is not the only company which has been attacked by these hackers. In the past, other companies, including NewEgg, British Airways, and TicketMaster^[3] UK were also victims of similar skimming attacks.

Malware was spotted typing in fake personal information that was used for purchasing a hat

Sanguine Security experts managed to identify malicious code that was inserted into the Atlanta Hawks web store page. The security firm took a look at the page source and found out that the code relates to the notorious MageCart group. Technology experts have performed an investigation by making a test purchase which allowed to detect the suspicious activities:^[4]

This activity can be observed when making a test purchase. Using Chrome Developer Tools, we see that during checkout, an extra request is made to the domain imagesengines.com.

Talking about the imagesengines.com domain name, cybersecurity experts warned users that it does not belong to the official Atlanta Hawk web store. It was created by cybercriminals on the 25th of March and used to carry out malicious actions. Additionally, researchers discovered that the payload included the encoded name, address, and card of the company's “bait shopper” as they claimed.

The malicious program was also found using non-existing credential information that helped the criminals to order an Atlanta Hawks hat. This discovery was made by a cybersecurity analyst from Sanguine Security, Willem de Groot.

Malicious payload supposedly was brought secretly by third-party components

It can be hard to avoid similar attacks from the MageCart hacker group as these criminals work fast and launch different attack methods every week. Some malware can affect numerous web stores across the world in 6-12 hours after its initial launch. A solution for this difficult situation is not that simple, as it is difficult to defend from these type of attacks. However, the best you can do is make sure your web browser is updated, and no browser extensions with detected vulnerabilities are installed.

Getting back to Atlanta Hawks shop hack, cybercriminals used a system known as Magento Commerce Cloud 2.2. Even though it is considered to be safe for usage, various third-party content is used to install malware and gain access to the targeted system. This attack might be the consequence of various plug-ins, third-party tools, and other software that could have distributed the malware.^[5]

Atlanta Hawks went down for maintenance once the news about the attack broke and it still not available at the time of the writing of this article. If you were affected by this MageCart attack, it is highly advised to change all your passwords and immediately contact your bank so that it can monitor your bank account for illegal activities.