The Magecart threat group continues its offensive with two newly disclosed breaches targeting bedding retailers MyPillow and Amerisleep.
The group attacked the two companies with online payment credit card skimming attacks, researchers with RiskIQ said on Wednesday. While MyPillow removed a skimmer impacting its website, Amerisleep has yet to remove the malware and the breach is ongoing despite numerous attempts by researchers to contact the affected retailer. In both cases, the consumers, whose payment information was potentially stolen, have yet to be informed, according to researchers.
“Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves,” said RiskIQ’s threat researcher, Yonathan Klijnsma, in a post.
Klijnsma told Threatpost that while he does not know how many could have been impacted, services like Similarweb show that Amerisleep has half a million visitors every month; while MyPillow has around a million visitors per month – meaning the impact could be “substantial.”
Magecart, which has made headlines over the past year for high-profile breaches of companies like VisionDirect, Ticketmaster and more, is known for its use of web-based, digital card skimmers, Magecart uses scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
In this most recently disclosed case, the threat group has turned its attention to the online ecommerce platforms for two popular bedding retailers.
MyPillow
Magecart first targeted MyPillow’s e-commerce platform in October 2018 with a series of different attacks, intending to steal payment information via its online website (mypillow.com), researchers said.
Attackers first used a typo-squat method (adding a typo to a fake domain to make it seem real), registering mypiltow[.]com, which looked like the primary domain of MyPillow and was covered with an SSL certificate. They then injected a script, containing a heavily obfuscated skimmer, into the fake webstore and scraped up payment card info entered onto that site by visitors who were fooled into thinking it was MyPillow’s legitimate site.
While this domain was quickly identified as illicit, “Based on what RiskIQ sees typically, this type of domain registration typo-squatting means that the attackers had already breached MyPillow and started setting up infrastructure in its name,” Klijnsma said.
In their second stage of the attack, attackers then registered a new domain, livechatinc[.]org, and hid this domain within the legitimate LiveChat script, which is an existing service that MyPillow uses, in MyPillow’s site.
“The attackers played a brilliant game the second time they placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts,” said Klijnsma.
The last time researchers observed a skimmer active on the MyPillow website was Nov. 19 – since then, they haven’t observed newly registered domains for attacks on MyPillow.
Mike Lindell, CEO of MyPillow, meanwhile confirmed to Threatpost that there was an “attempted breach” on MyPillow.
“I can confirm there was an attempted breach on the mypillow.com website on October 5th,” he said. “It was caught immediately. MyPillow hired a third party to investigate. They found no indication that the breach was effective or that any customer’s information was compromised. MyPillow reported the attempted breach to the authorities and has increased security on our website. Our customers and their security are my number one priority.”
However, Klijnsma told Threatpost, “this statement is absolutely false as we observed live skimmers on the webpage which would have worked to steal (skim) information.”
Amerisleep
The first indication of compromise on the Amerisleep websites started back in April 2017, researchers said. The mattress company has both physical stores in the US, as well as an online sales platform on Amerisleep.com.
Magecart first injected malicious scripts on Amerisleep’s website, attempting to make away with credit cards – and this attack lasted for half a year, ending in October 2017. Then, in December 2018, Magecart attacked again. The group set up a Github repository under Amerisleep’s name, and used that to host several scripts and inject those into the Amerisleep website.
Timeline of the first skimmer domains on Amerisleep’s site
“In December 2018, the attackers had used a new skimming setup with a fascinating new method. The attackers abused Github by registering a Github account called “amerisleep” and creating the Github Pages address amerisleep.github.io.” said Klijnsma.
With help from Github, meanwhile, researchers with RiskIQ took down the Github repository and the Github Pages account.
The actors then quickly abandoned the Github approach and instead focus on injections through their own custom domains.
Starting in January, researchers observed a different skimmer that Magecart actors injected. That skimmer is still operating: “Attempts to inform Amerisleep through their support desk and directly via email has gone unanswered,” researchers said.
Amerisleep has not yet responded to a request for comment from Threatpost.
Moving forward, retailers need to be further educated about Magecart and how to better secure their e-commerce platforms. However, when it comes to safeguarding websites, “there is, sadly, not just one answer,” Klijnsma told Threatpost.
“Just like with normal security its about a layered approach, protecting on the server-side of the payment platform to secure it as well as externally on the public side,” he told Threatpost. “It’s mostly about setting up barriers and making sure at least one of those will trip up the bad guys, there is not one simply solution to Magecart attacks rather its a whole variety of techniques to block or catch.”
