The online store for the Rooster Teeth video-streaming service has been hit with a malicious web redirect attack by Magecart, which allowed the cybercriminals to harvest users’ payment-card details. The attack marks a slight departure from the group’s typical tactics.
Rooster Teeth, which offers original podcasts, animated shows and short-form content aimed at Millennials, said that the attack happened on December 2. According to a company website notice, it was able to detect the issue the same day.
“The malicious code directed users entering a checkout on the site to a spoofed webpage where they were asked to enter payment-card details in order to complete their purchases,” the Rooster Teeth notice explained. “This was inserted after the stage at which users entered their shipping data. Users who completed the payment-card details page were then directed to the real webpage, where they were asked to complete the forms again.”
Magecart is an umbrella term encompassing several different threat groups who typically use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages. But the Magecart crooks behind this attack mixed up their tactics for this incident, according to Elad Shapira, head of research at Panorays.
“The recent Rooster Teeth data breach illustrates how the Magecart threat continues to evolve while often targeting organizations through their third parties,” he said via email. “In this case, malicious code introduced on the company’s Shopify-based online store directed users to a fake payment page, where they were asked to enter their credit-card information. But it also points to good news, which is that companies are clearly beginning to take this threat seriously. It’s encouraging that Rooster Teeth’s IT team was able to discover and remove the malicious code on the same day it was introduced. Organizations can learn from this example, and should be sure to put processes in place to manage and review susceptibility to the Magecart threat through third-parties.”
The issue affected the Rooster Teeth online store, where the company offers various kinds of clothing and other merchandise. Rooster Teeth free streaming accounts and its “FIRST” subscription memberships weren’t impacted, the company said.
The spoofed page collected name, email address, telephone number, physical address, and/or payment-card information (including expiration dates and security codes). The company said that it sent data-breach notices to customers who were caught up in the attack.
“We removed the malicious code from the Site and took other steps to secure the site against further unauthorized access,” the company said. “The incident did not affect any other part of the site or other information maintained by us. It is our goal to provide a safe and secure shopping environment, and we will continue to review, audit, and improve our security controls and processes.”
Mike Bittner, director of digital security and operations at The Media Trust, noted that the attack underscores the ongoing rise of digital supply-chain attacks.
“Until companies take the insecurity of their digital supply chains seriously and monitor the code that runs on their sites, these attacks will continue,” he said. “There’s no other way to prevent these attacks than to allow only trusted digital vendors to run code on your site, as well as closely watch and regulate all the code that these vendors and their own digital third parties run to make sure they all follow your policies. By doing so, you will address not only security risk but also quality and performance risks that can degrade the site’s user experience.”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.