MageCart Group Compromises Forbes Subscription Site

Delaware, USA – May 16, 2019 – The cybercriminals compromised the Forbes website and injected the card skimmer into a subscription page. Security researcher Troy Mursch uncovered obfuscated JavaScript on the website yesterday and immediately informed the organization about compromise. It took about 10 hours before the site admin took down the payment page, and it is still unavailable at the moment. Deobfuscated skimmer can be explored on Pastebin, and domain used to gather credit card data is disabled. To exfiltrate the stolen data, the MageCart group used the WebSocket protocol. Their skimmer collected bank card details, customers’ names, addresses, phone numbers, and emails. An investigation is currently underway, and a Forbes representative claims that there is no evidence that anyone bought the subscription has suffered but recommends that all recent customers check their card balance just in case.

It is not yet established how the cybercriminals compromised the website. Presumably, this became possible as a result of the supply-chain attack on Picreel, a web marketing software supplier, since the customers’ data of this company were leaked and spotted online last Sunday. MageCart groups are known for loud hacking, such as hacking into British Airways, Newegg, and OXO, but attackers also compromise the popular extensions and plugins to inject their malicious code into thousands of websites in a moment. For timely detection of attacks on your sites and servers, you can use the Web Application Security Framework rule pack, which helps to spot malicious activity and acts as an early warning system for your critical business applications that face public internet: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight