Security

Breaking news: Bank-card-slurping malware sneaks into Forbes' mag subscription website

Dead-tree devotees who recently signed up may want to check their statements


The Magecart credit-card-skimming malware that is the bane of internet shoppers has been spotted again, this time on the Forbes magazine subscription website.

The infection was clocked by net security watcher Troy Mursch at around 0400 UTC on Wednesday. It appears hackers unknown somehow installed malicious JavaScript on forbesmagazine.com so that any bank card details entered into the site by would-be-subscribers would be siphoned off to another web server to be used later by crooks and fraudsters.

“If you want to subscribe to the paper version with a credit card then that’s where you have to go,” Mursch, chief research officer of Bad Packets, told The Register on Wednesday. “That’s the reason, in my opinion, why they infected that part of the site.”

The researcher tried to alert Forbes to the Magecart infection on numerous email addresses, even trying security at forbes dot com which turned out to be unavailable. He also reported the problem to the domain owner, and has yet to hear anything back from Forbes.

Nevertheless, the payment page was taken down at around 1400 UTC and remains offline at time of writing. The malicious JavaScript, obfuscated in the HTML source and decoded here, has seemingly vanished.

A Forbes spokesperson told El Reg on Wednesday night that, at this stage, it doesn’t appear the crooks got anyone’s credit card information, though an investigation is ongoing. Nevertheless, recent subscribers should check their credit card statements for signs of fraudulent use, as should everyone these days, frankly.

Ticketmaster breach 'part of massive bank card slurping campaign'

READ MORE

It appears Forbes could have become victims of yet another supply-chain attack, in which hackers break into or abuse an organization that provides code to other websites, and use that platform to inject evil JavaScript into a large number of victims at once. On Sunday, Willem de Groot, a forensic analyst for Sanguine Security, noticed that the records of customers of Picreel, a web marketing software supplier, had been leaked online by hackers unknown.

Forbes is a customer of Picreel, and what seems to have happened is that enough info escaped the marketing biz’s servers to allow the installation of the Magecart software on the Forbes subscription dotcom. Picreel’s other 1,200 customers may also be at risk, and you can check out a list of affected domains right here.

Magecart, which first surfaced in 2015, has been causing massive headaches for online traders. British banks were forced to replace 40,000 cards after Ticketmaster picked up a Magecart infection, British Airways was struck down, and online retailer Newegg was hit with the card-gobbling code in the past year. ®

Send us news
23 Comments

Execs in Japan busted for winning dev bids then outsourcing to North Koreans

Government issues stern warning over despot money-making scheme

Hyperfluorescent OLEDs promise more efficient displays that won't make you so blue

Novel design might also help reduce those annoying burn-in issues

Standardization could open door to third-party chiplets in AMD designs

Domain-specific accelerators are 'essential to progress' it claims, and a chiplet ecosystem is one way forward

Apple fans deluged with phony password reset requests

Beware support calls offering a fix

NASA gives IXPE observatory the Ctrl-Alt-Del treatment to make it talk sense

Hardware misbehaving in orbit? Time for a reset on the avionics

'Thousands' of businesses at mercy of miscreants thanks to unpatched Ray AI flaw

Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders

Amazon finishes pumping $4B into AI darling Anthropic

Adds $2.75B to the ML sweepstakes ante and is counting on Claude

SEC cleared to take securities beef against Coinbase to trial

Judge says watchdog can HODL four of its five charges against crypto exchange

Qualcomm's Snapdragon X Elite dares to game, reaching 30 FPS in Baldur's Gate 3

The bare minimum performance, but suggests a beefy integrated GPU

NASA to shoot rockets at April solar eclipse to see how it messes with the atmosphere

Boffins hope to better understand how phenomena disrupt comms tech in order to prevent future outages

Red Hat tries on a McKinsey cap in quest to streamline techies' jobs

Some staff are worried – can't think why

Kaby Lake-G chip back from the grave, now on modest firewall-router-NAS mobo

Intel CPU that incorporated an AMD GPU into the processor package resurrected by Topton