Last week, the sports trading card and collectible company Topps issued a data breach notification stating that it was affected by an attack, which possibly exposed the payment and address information of its customers.
This type of attack is called a MageCart attack, which is when attackers hack a site to inject a malicious script into a site’s checkout or cart pages. When a visitor enters their payment and address information, this script will copy the submitted data and send it to a remote server for the attackers to collect.
According to the data breach notification, on December 26th, 2018, Topps became aware of an unauthorized third-party that had hacked their site. Upon further investigation, it was discovered that these intruders added a malicious script that was active from November 19, 2018 to January 9, 2019.
As part of this attack, Topps has stated that it is possible that customer information such as names, addresses, email address, and payment information may have been obtained by the attackers.
“It is possible that this incident compromised names, mailing addresses, telephone numbers, e-mail addresses, and payment information (including credit/ debit number, card expiration date, and security code) for customers who completed a purchase through the Topps website between November 19, 2018 and January 9, 2019,” Topps stated in their data breach notification. “Based on our investigation, we have no reason to believe that information for customers who completed a purchase through PayPal was affected.”
On January 9th, 2019, Topps upgraded the software used to run their site and removed the malicious script.
For customers who had used Topps.com between November 19th, 2018 through January 9th, 2019, it is advised that you monitor your credit history for identity theft and your credit card statements for fraudulent charges. It is also suggested that you contact your credit card company and alert them to this breach.
Topps.com affected by MageCart attack
After reading the data breach notice it became apparent that this breach was caused by a MageCart attack.
BleepingComputer contacted Yonathan Klijnsma, a security researcher for RiskIQ, to see if he had any information on a MageCart attack against the Topps.com site. Klijnsma has confirmed that the Topps.com site was affected by a MageCart attack during the time periods indicated in the breach notice.
“We can confirm the dates Topps provided, additionally we have some insights into what the skimming looked like and who performed this attack. Topps was breached by a group we call Magecart Group 4, we documented them in our “Inside Magecart” report last November.”
Unfortunately, there is no clear-cut solution that can be given to web site owner on protecting themselves from MageCart attacks. Klijnsma has told BleepingComputer in the past that the best way to prevent MageCart attacks is to “protect yourself from any kind of web attack.”
This includes making sure your web servers and the software running on them have the latest security updates, implement subresource integrity (SRI) so that modified scripts are not loaded without your permission, and try to host third-party scripts on your own servers rather than on third-party servers.