This article is more than 1 year old

Breaking news: Bank-card-slurping malware sneaks into Forbes' mag subscription website

Dead-tree devotees who recently signed up may want to check their statements

The Magecart credit-card-skimming malware that is the bane of internet shoppers has been spotted again, this time on the Forbes magazine subscription website.

The infection was clocked by net security watcher Troy Mursch at around 0400 UTC on Wednesday. It appears hackers unknown somehow installed malicious JavaScript on forbesmagazine.com so that any bank card details entered into the site by would-be-subscribers would be siphoned off to another web server to be used later by crooks and fraudsters.

“If you want to subscribe to the paper version with a credit card then that’s where you have to go,” Mursch, chief research officer of Bad Packets, told The Register on Wednesday. “That’s the reason, in my opinion, why they infected that part of the site.”

The researcher tried to alert Forbes to the Magecart infection on numerous email addresses, even trying security at forbes dot com which turned out to be unavailable. He also reported the problem to the domain owner, and has yet to hear anything back from Forbes.

Nevertheless, the payment page was taken down at around 1400 UTC and remains offline at time of writing. The malicious JavaScript, obfuscated in the HTML source and decoded here, has seemingly vanished.

A Forbes spokesperson told El Reg on Wednesday night that, at this stage, it doesn’t appear the crooks got anyone’s credit card information, though an investigation is ongoing. Nevertheless, recent subscribers should check their credit card statements for signs of fraudulent use, as should everyone these days, frankly.

ticketmaster

Ticketmaster breach 'part of massive bank card slurping campaign'

READ MORE

It appears Forbes could have become victims of yet another supply-chain attack, in which hackers break into or abuse an organization that provides code to other websites, and use that platform to inject evil JavaScript into a large number of victims at once. On Sunday, Willem de Groot, a forensic analyst for Sanguine Security, noticed that the records of customers of Picreel, a web marketing software supplier, had been leaked online by hackers unknown.

Forbes is a customer of Picreel, and what seems to have happened is that enough info escaped the marketing biz’s servers to allow the installation of the Magecart software on the Forbes subscription dotcom. Picreel’s other 1,200 customers may also be at risk, and you can check out a list of affected domains right here.

Magecart, which first surfaced in 2015, has been causing massive headaches for online traders. British banks were forced to replace 40,000 cards after Ticketmaster picked up a Magecart infection, British Airways was struck down, and online retailer Newegg was hit with the card-gobbling code in the past year. ®

More about

TIP US OFF

Send us news


Other stories you might like