Magecart group breaks into MyPillow and Amerisleep websites, potentially stealing credit card information

• While MyPillow was hit with Magecart attacks in 2018, Amerisleep is said to be targeted as early as 2017.
• The pillow manufacturing company has reworked the site after the attack but Amerisleep is still to respond with a fix.

The Magecart group -- known for its notorious credit card skimming attacks, makes headlines again. This time, it has found targeting websites of mattress companies MyPillow & Amerisleep. The security incident was uncovered and detailed by Yonathan Klijnsma of RiskIQ. With its continuously evolving tactics, the group has slowly been rising to dominate the cyberspace in 2019.

MyPillow

• In October 2018, Magecart registered a false typo-squat site of MyPillow revealing the possibility of an attack infrastructure.
• The group then injected a script into the company’s web store which was hosted on the false site.
• The script had a malicious JavaScript library for execution along with the code of a skimmer.
• They registered another new domain to insert a script as well as a skimmer into the LiveChat service of MyPillow.
• Altogether, these two skimmers were detected by Klijnsma and were active till November 2018.

Amerisleep

• In April 2017, Magecart began its credit card-skimming operation on Amerisleep. Just like the MyPillow case, an obfuscated skimmer was used.
• The group also deployed multiple scripts during their attack on the mattress company.
• The site had skimmers active from April to October 2017. However, after a year, Magecart started deploying skimmers again.
• In fact, Magecart created a GitHub account in the name of Amerisleep to store their skimmer tools. This was taken down shortly.

Why it matters - While the threat group earlier targeted large firms such as British Airways, Newegg, and others, it has now eyed smaller companies.

“Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.” said Klijnsma in the blogpost.