• Users who made purchases on the basketball team’s online store had their names, addresses, and credit card details stolen by Magecart skimmers.
  • Only those users who shopped on or after April 20th were affected by this security incident.

The notorious Magecart group has struck again. This time, it has compromised the online store of Atlanta Hawks. The recent attack was detected when security experts from Sanguine Security came across a malicious code by Magecart on the checkout page of the Hawks store. According to the firm, the code has impacted users who shopped on or after April 20th from the store.

Magecart is infamously known for targeting large companies such as Ticketmaster, British Airways and Newegg.

The big picture

  • Names, addresses, and credit card details were potentially stolen by the Magecart group through skimmers injected on hawksshop.com
  • Sanguine’s analysis shows a suspicious code inserted on the checkout page of the store.
  • When the code was unscrambled, experts found that it was recording keystrokes in the payment form.
  • The Magecart group exploited Magento Commerce Cloud 2.2, which powers the online store of Atlanta Hawks. In addition, the group is suspected to have used third-party components to gain access to the store.

Data exfiltrated to a new domain

The experts from Sanguine also suggested that the Magecart group used a different domain to possibly store keystrokes from the online store.

“Using Chrome Developer Tools, we see that during checkout, an extra request is made to the domain imagesengines[.]com. The payload is, as expected, the (encoded) name, address and card of our “bait shopper”.The exfiltration domain imagesengines.com has only been registered on March 25th and has nothing to do with the legitimate store. It is hosted with Leaseweb, a popular ISP among criminal actors,” they indicated.

Cyware Publisher