American Cancer Society hit by payment skimmer

Digital skimming groups (aka Magecart) hit another low, as they successfully targeted the American Cancer Society last night. Our skimmer detectors found a piece of malicious code embedded on the Cancer.org shop, which intercepts payments from unsuspecting visitors.

Sansec has contacted Cancer.org via their fraud hotline but haven't received confirmation of a fix yet, and as of writing, the skimmer is still in place (copy here). Update 25th Oct: the skimmer has been removed, the site is all clean.

The multi-billion charity is the next in a series of high profile skimming victims over the past few years, including British Airways, Ticketmaster, LA Times, ESET, the Red Cross and Infowars. But those are only the tip of the iceberg. Our systems have identified 30 to 200 new cases per day since 2015.

Technical analysis

The Cancer.org skimmer loader hides itself by hiding behind the (legitimate) GoogleTagManager code:

It searches for "checkout" (Y2hlY2tvdXQ=) and will then load the actual skimming code from thatispersonal.com/assets/cancer.js (copy). This server is hosted in Irkutsk, a Russian network that is popular among skimming groups.

As you can see, the attacker made a glitch. The loader is included twice here, presumably because the first one does not function.

Are you a merchant?

Are you dealing with a similar incident right now? Get in touch, we are ready to help you resolve this quickly. Since 2015, we have cleaned and hardened hundreds of stores and provide warranty against re-infection. Our goal is to help you prevent incidents instead of having to deal with them!

Read more

• Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns
• CosmicSting attack & defense overview
• Persistent backdoors injected on Adobe Commerce via new CosmicSting attack
• CosmicSting attacks have started hitting major stores
• Polyfill supply chain attack hits 100K+ sites