National Baseball Hall of Fame hit by Magecart attack

• Attackers injected malicious Magecart script on the checkout page of the National Baseball Hall of Fame online store.
• This resulted in the attackers stealing the personal information of customers who made purchases via the online store between November 15, 2018, and May 14, 2019.

What’s the matter?

Attackers hacked the website for the National Baseball Hall of Fame and injected a malicious Magecart script to steal customers’ payment card information.

What happened?

On June 18, 2019, the National Baseball Hall of Fame learned that attackers could have obtained customers’ personal information by injecting malicious code on the checkout page of its online store.

What is the impact?

This incident resulted in attackers stealing the personal information of customers who made purchases via the online store between November 15, 2018, and May 14, 2019.

The stolen information included customers’ names, billing addresses, payment card information including CVV numbers. However, no Social Security numbers or driver licenses numbers were compromised.

What was the response?

• Upon learning about the incident, the organization notified the incident to law enforcement and hired a forensic security team to launch an investigation.
• The organization promptly removed the malicious code from the web store and implemented additional safety measures to enhance the security of its online store.
• It has also notified the credit card brands about the incident so that they will monitor customers accounts for any suspicious activity.

“We value the trust you place in us to protect your privacy, take our responsibility to safeguard personal information seriously, and apologize for any inconvenience or concern this incident might cause,” National Baseball Hall of Fame said in a security notice.

Magecart Group 4 might be behind the attack

National Baseball Hall of Fame removed the Magecart script from the online store, however, BleepingComputer was able to locate the malicious script in a snapshot on Archive.org.

BleepingComputer researchers noted that the malicious script appears to be a Google Analytics script. Upon further analysis, they noted that the associated script is being read from www.googletagstorage[.]com.

“While the domain indicates it belongs to Google, www.googletagstorage[.]com is actually not registered to them and resolves to an IP address located in Lithuania. This same host has also been seen used in other attacks in the past as shown by the IOCs on AlienVault and IBM's Xforce Exchange,” researchers said in a blog.

Researchers speculate that Magecart Group 4 could be behind this attack as the methods used by the group have been observed in this particular attack.