Forbes Becomes Latest Victim of Magecart Payment Card Skimmer

The payment card-siphoning Magecart group has struck again; this time injecting web-skimming scripts into the subscription website for the Forbes print magazine (as well as a slew of others over the past week).

[Scroll down for our exclusive podcast on Magecart]

The script, which has since been removed, was discovered on the subscription page of the Forbes Magazine website on Wednesday, scraping up the payment data of subscribers. It should be noted that the affected Forbes Magazine subscription page (forbesmagazine.com) is a separate website from the Forbes online news outlet (Forbes.com).

Security researcher Troy Mursch, founder of Bad Packets Report, told Threatpost that he noticed the site was compromised on Wednesday at 12:30 a.m. ET.

The impacted website was taken down shortly after the problem was discovered; and remains down while Forbes works with third parties to clean up the site, a Forbes spokesperson told Threatpost. The spokesperson said that Forbes is fairly confident that no one was impacted by the skimmer.

However, Mursch warned in a Wednesday tweet that: “If you made a purchase on the site while it was compromised, your credit-card information was likely stolen.”

> ⚠️ WARNING ⚠️@Forbes Magazine subscription website (<https://t.co/VqCahQHj9X&gt;) is infected with #magecart malware.
>
> Exfil domain: fontsawesome[.]gq (🇧🇬)@urlscanio results: <https://t.co/Su3ziLZd3w&gt;
Deobfuscated code: <https://t.co/jb0ULmq0Et&gt; pic.twitter.com/zlRGZ5k2hE
>
> — Bad Packets Report (@bad_packets) May 15, 2019

Forbes isn’t the only recent victim of the infamous Magecart group: In just the last week, Magecart web skimmers have also been discovered on at least seven other websites – with the majority of compromises occurring around May 10.

Those affected were: Content management system CloudCMS and analytics provider Picreel (both discovered by security researcher Willem de Groot), as well as ad platform provider AdMaxim, analytics tech supplier RYVIO, ad provider AppLixir, supplier eGain and content-marketing supplier Growth Funnel.

Beyond these victims, researchers at RiskIQ also found evidence of Magecart targeting a video-game trading platform in Japan, a chemical manufacturing organization and various low-level news websites.

Interestingly, in these weekend attacks, “some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a ‘shotgun’ approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative,” said Yonathan Klijnsma, researcher with RiskIQ, in a Thursday analysis.

Threatpost talks to Yonathan Klijnsma, researcher with RiskIQ about Magecart.

Magecart, which has made headlines over the past year or so for high-profile breaches of companies like VisionDirect, Ticketmaster and more, is known for its use of web-based, digital card skimmers, Magecart uses scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.

More recently, the Magecart threat group continued its offensive with two newly disclosed breaches targeting bedding retailers MyPillow and Amerisleep.

“This latest data breach at Forbes’ subscription website illustrates how clearly Magecart is here to stay,” Matan Or-El, CEO of Panorays, said in an email. “This type of supply-chain attack succeeds in targeting a large number of victims at once, and we will likely see more such cyberattacks as long as the opportunities for malicious activity exist. It also underscores why it’s so important for companies to assess and continuously monitor the cyber-posture of their third parties in order to thwart cyberattacks before they occur.”

_Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss _our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.