According to a request lodged with the California safety violation notification service, between 15 November 2018 and 14 May 2019, the National Baseball Hall of Fame website injected malicious written in its online store. The data that could be robbed involves the name, email and loan or debit card data of a customer, including the CVV code. This attack impacted only clients buying products from the website and not the museum itself. It should be observed. You should report the situation to your credit card business and track your statements for fraudulent shopping if you bought anything from the National Baseball Hall of Fame site at https:/baseballhall.org/.
Payment data stolen by a MageCart attack
Attackers have been granted access to the website of the Hall of Fame and have injected a malicious script on the site to track and then forward the submitted payment data to the attackers. While this script is no longer present on the website, Cyberguards was able to find the code on Archive.org in a snapshot. As shown in the picture below, attackers have placed what appears to be a Google Analytics script at first glance. But if you look closer, the script is read from www.googletagstorage.com.
Although the domain is Google’s, www.googletagstorage.com is not currently registered and resolves its IP address in Lithuania. In the past, this same host was also used in other assaults as the IOCs on AlienVault and Xforce Exchange of IBM showed. The script looks as if it was a lawful Google Analytics script, but if you analyze it, you can see that it monitors the shop’s billing form, which has a “co-filling form” identification.
Although no confirmation is given that this is the same group, the techniques used for this assault are comparable to the earlier mentioned MageCart Group 4 in a RiskIQ study.