Sansec logo

American Cancer Society hit by payment skimmer

Sansec

by Sansec Forensics Team

Published in Threat Research − October 25, 2019

American Cancer Society hit by payment skimmer

Digital skimming groups (aka Magecart) hit another low, as they successfully targeted the American Cancer Society last night. Our skimmer detectors found a piece of malicious code embedded on the Cancer.org shop, which intercepts payments from unsuspecting visitors.

Sansec has contacted Cancer.org via their fraud hotline but haven't received confirmation of a fix yet, and as of writing, the skimmer is still in place (copy here). Update 25th Oct: the skimmer has been removed, the site is all clean.

The multi-billion charity is the next in a series of high profile skimming victims over the past few years, including British Airways, Ticketmaster, LA Times, ESET, the Red Cross and Infowars. But those are only the tip of the iceberg. Our systems have identified 30 to 200 new cases per day since 2015.

Technical analysis

The Cancer.org skimmer loader hides itself by hiding behind the (legitimate) GoogleTagManager code:

It searches for "checkout" (Y2hlY2tvdXQ=) and will then load the actual skimming code from thatispersonal.com/assets/cancer.js (copy). This server is hosted in Irkutsk, a Russian network that is popular among skimming groups.

As you can see, the attacker made a glitch. The loader is included twice here, presumably because the first one does not function.

Are you a merchant?

Are you dealing with a similar incident right now? Get in touch, we are ready to help you resolve this quickly. Since 2015, we have cleaned and hardened hundreds of stores and provide warranty against re-infection. Our goal is to help you prevent incidents instead of having to deal with them!

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01