The news was filled with attack after attack this past year. Prominent companies and trusted brands felt the wrath of online attacks with some heavy fines that unfortunately came with them. The following article lists a few of the prominent cyber attacks that took place in 2019, divided into industries, and some of the valuable lessons those involved may have learned in the process.
eCommerce/online retailers
The eCommerce field is prone to attacks due to its lucrative nature and the fact that payment methods are such an integral part of most interactions. Here are a few incidents to prove that cybersecurity never goes out of style:
Fashion site Sixth June leaks payment data
Type of attack: Magecart
When it happened: October 2019
What happened: The attack demonstrated a more sophisticated method, in which the malicious code didn’t attack non-US visitors or users using the Linux operating system.
Lessons to learn: Hackers have acquired targeting abilities that are quite impressive, and in this case were used to exclude specific users but in other incidents might be used to expand the attack.
Procter & Gamble-owned First Aid Beauty site is hacked
Type of attack: Magecart
When it happened: October 2019
What happened: Hackers planted an e-skimmer to steal payment card data, while excluding non-US visitors.
Lessons to learn: It took the company a week to respond to the attack, despite several alerts from security experts. Security teams, pay attention!
The National Baseball Hall of Fame gets hit
Type of attack: Magecart
When it happened: August 2019
What happened: A malicious script was injected into the website’s online store.
Lessons to learn: Even websites that are not focused on eCommerce per-se should apply security measures to protect the eCommerce section of their website.
Magecart skimmers are found on Amazon CloudFront CDN
Type of attack: Magecart
When it happened: June 2019
What happened: JavaScript libraries that were hosted on the Content Delivery Network were injected with web skimmers.
Lessons to learn: Websites that do not validate their externally loaded content properly are exposed to major threats.
The Picreel marketing software and CloudCMS get hit
Type of attack: Magecart
When it happened: May 2019
What happened: Hackers inserted a skimmer at the bottom of a script used by the analytics provider in order to follow user behavior.
Lessons to learn: Every single part of the chain can expose websites to attacks. In this case, the broken malicious code limited the impact of the attack, but things could have been a lot worse.
The Atlanta Hawks basketball team suffers a Magecart attack
Type of attack: Magecart
When it happened: April 2019
What happened: The merchandise website was hacked by a skimming group.
Lessons to learn: Not only hackers are getting smarter. The attack was discovered using a specific tool built by researchers that detects malicious code.
Hundreds of websites hosted on GitHub are attacked
Type of attack: Magecart
When it happened: April 2019
What happened: A credit card skimmer script was uploaded to GitHub by a platform user.
Lessons to learn: Even the techiest of websites has to watch out. No one is safe, no one can afford to get comfortable.
Financial Institutions
Financial institutions are where the money is, and hackers are well aware. The digital transformation many of these organizations are experiencing leads to wonderful innovations, but also to quite a few dangers for those who do not use the most advanced security measures.
3 million UniCredit clients are affected by a serious security breach
Type of attack: Magecart
When it happened: November 2019
What happened: The details of about 3 million customers were hacked.
Lessons to learn: The attack was related to a file that dates back to 2015, which proves that checking and securing older files and archives is just as important as your recent interactions.
Travel, Ticketing & Aviation
This industry involves large sums of money, websites who use many external tools, and users who are eager to find the best deal. This explosive combination makes the travel world extremely attractive to hackers. It only takes one breach to turn a dream vacation into a nightmare.
Booking websites’ mobile users suffer an attack
Type of attack: Magecart
When it happened: September 2019
What happened: Two booking websites by different hotel chains suffered a credit card skimming attack.
Lessons to learn: As detailed in our recent article, the artful attack was built in such a way that enabled hackers to avoid detection and the usual detection measures, such as CSP, SRI, Foreign iFrame, or JavaScript proxies, wouldn’t have worked.
British Airways received record fine from UK regulators
Type of attack: Magecart
When it happened: September 2018
What happened: While the attack itself took place in 2018, this year the company was fined a record £183.39 million ($230 million) for not protecting users’ data.
Lessons to learn: Regulators are getting serious when it comes to security, which is yet another reason for companies to do the same. It’s a triple threat – companies now have to be worried about the costs associated with customer damages, brand reputation, and regulatory fines.
Media & content publishers
Even hackers think that content is king, and are on the hunt to get it and the massive data of users consuming it. Websites with many subscribed, paying readers are an very attractive target.
Forbes becomes a victim of a payment card skimmer
Type of attack: Magecart
When it happened: May 2019
What happened: Melicious, web-skimming scripts were injected into the subscription website of Forbes magazine’s print version.
Lessons to learn: Print isn’t dead, but it’s also not perfectly safe. Even physical products have an online entity that might face attacks.
Advertising company Adverline brings malicious code to hundreds of websites
Type of attack: Magecart
When it happened: January 2019
What happened: One of the company’s retargeting libraries was injected with credit card skimming code.
Lessons to learn: The script used in this attack was designed to clear the browser’s debugger console messages, making it harder to detect, which shows that hackers invest efforts not only in infiltration but also in deterring detection.
The above attacks are all Magecart attacks, which demonstrates, once again, how dangerous this group has become. Websites of all verticals and sizes suffer security attacks on a daily basis and 2019 saw some of the most interesting advancements from both hackers and security professionals. We don’t know yet which new tech innovations will be celebrated in each field in 2019, but we can say one thing for sure: they will all need the right security tools to stay safe.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
