Magecart group breaks into MyPillow and Amerisleep websites, potentially stealing credit card information

• While MyPillow was hit with Magecart attacks in 2018, Amerisleep is said to be targeted as early as 2017.
• The pillow manufacturing company has reworked the site after the attack but Amerisleep is still to respond with a fix.

The Magecart group — known for its notorious credit card skimming attacks, makes headlines again. This time, it has found targeting websites of mattress companies MyPillow & Amerisleep. The security incident was uncovered and detailed by Yonathan Klijnsma of RiskIQ. With its continuously evolving tactics, the group has slowly been rising to dominate the cyberspace in 2019.

MyPillow

• In October 2018, Magecart registered a false typo-squat site of MyPillow revealing the possibility of an attack infrastructure.
• The group then injected a script into the company’s web store which was hosted on the false site.
• The script had a malicious JavaScript library for execution along with the code of a skimmer.
• They registered another new domain to insert a script as well as a skimmer into the LiveChat service of MyPillow.
• Altogether, these two skimmers were detected by Klijnsma and were active till November 2018.

Amerisleep

• In April 2017, Magecart began its credit card-skimming operation on Amerisleep. Just like the MyPillow case, an obfuscated skimmer was used.
• The group also deployed multiple scripts during their attack on the mattress company.
• The site had skimmers active from April to October 2017. However, after a year, Magecart started deploying skimmers again.
• In fact, Magecart created a GitHub account in the name of Amerisleep to store their skimmer tools. This was taken down shortly.

Why it matters – While the threat group earlier targeted large firms such as British Airways, Newegg, and others, it has now eyed smaller companies.