Forbes' Trouble With Magecart Card-Skimmer Malware Shows Need For Proactive Defense

magecart malware card skimmer forbes issuesThe notorious Magecart credit card skimmer group managed to hit yet another high-profile target, as it became apparent by a Twitter message posted by security researcher Troy Mursch on May 14. While posting about it on Twitter, he also, directly, notified Forbes that threat actors had managed to compromise the subscription page for the physical copy of the magazine.

The Magecart skimmer used in the attack was collecting card numbers, three-digit CVV/CVC codes, expiry dates, as well as names, addresses, phone numbers, and emails. The malicious code that was injected in the subscription page was written in JavaScript. The attackers used a fontsawesome.gq domain to exfiltrate the stolen data. This was done in a blatant attempt to trick anyone examining the source code into thinking that this might be just a legitimate domain for the FontAwesome service, which provides fancy icons for many websites.

After the attack became public, the forbesmagazine.com website was taken down, while the exfiltration domain was quickly shut down by Freenom's API. The attack on Forbes' website, however, didn't seem to be over, even after the exfil domain was shut down. On May 15, the Forbes subscription page came back online with a cryptic message that read: "Let the game begin!"

Over the following days, the website kept going online and offline, with a total downtime of around seven days. Forbes worked with third-party security professionals to repair it and stated that the company is "fairly confident" that there was no one affected by the Magecart skimmer. Troy Mursch, however, was not quite convinced that this was the case and tweeted: "If you made a purchase on the site while it was compromised, your credit-card information was likely stolen."

Anyone who made a purchase for the dead tree edition of the Forbes magazine should check their payment statements for any suspicious activities and is advised to monitor their accounts in the following months, as their payment data may continue to be passed around the Dark Web for months to come.

Many have commented that the lack of proactive defenses made Forbes vulnerable. People have noted that the subscription page didn't employ a Content-Security-Policy that could have prevented the attack, or Subresource Integrity digests to avoid JavaScript injects.

It appears that the Magecart skimmer group has become unstoppable at this point, with companies like Ticketmaster, Visiondirect, OXO, Newegg, and British Airways being listed as just some of the high-profile victims. Considering the fact that an extensive article about cybercrime in general, and the Magecart group, in particular, was posted by Jason Bloomberg on Forbes' website back in January, it is kind of ironic that the magazine didn't take the proactive steps necessary to protect their customers' sensitive data.

It seems, however, that at this point, online publications are more concerned with whether you're using Adblock or private browsing than they are with actually securing the data that they want you to entrust them.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.