Everlast, the well-known American boxing equipment brand, recently had its online shop hacked by a cybergang linked to the world’s biggest online bank heist. Customer credit card data has been silently skimmed for at least three weeks, the Cybernews research team found.
A trojan skimmer loader was found on everlast.com, capturing credit card data during the checkout process. This vulnerability is still present as events are unfolding.
The malware was discovered by security researcher Darius Povilaitis and investigated by the Cybernews researchers Mantas Sasnauskas and Vincentas Baubonis.
Customers that have used the Everlast website recently should take immediate action to protect themselves, as their credit card data may be compromised.
The injected malicious code was active for at least three weeks up until Monday. The skimmer was first discovered in a copy of the website on July 11th, web.archive.com reveals. However, the injected code could’ve been active for much longer as the earliest saved copy of everlast.com, where the trojan loader was absent, is from June 7th.
The Everlast hack has been attributed to Magecart Group 4. This group is linked by other research to Cobalt Group, which itself is related to Carbanak, a financially-motivated threat actor known for conducting intrusions targeting ATM systems, card processing, payment, and SWIFT systems. This vast cybercrime ring has been tied to the largest online bank heist in the world.
The website everlast.com has 282.5K monthly visitors, mainly from the US (59%), and also some from the United Kingdom (10%), Vietnam (3%), France (3%), Germany (2%), according to the data from similarweb.com. The Everlast brand is owned by Frasers Group, formerly Sports Direct International.
Everlast sells combat sports products, including boxing gloves, protective gear, punching bags, and others, in over 75 countries.
Cybernews contacted Everlast for comment and will update the story with the company‘s response.
How the hack works
The attack consists of two steps. Firstly, code that calls out to a remote URL was injected into the everlast.com source code
A single 17th line in the website’s code, within the HEAD tag, loads a malicious JavaScript code called bootstrap.js from another website, cardkaze.com, which is probably also compromised or is intentionally made to look legitimate.
An interesting aspect of this is that the malicious payload was only used once. To gain a foothold and plant a trojan skimmer on the everlast.com website, hackers exploited vulnerabilities from an outdated WordPress version or its plugins.
Next, the skimmer is loaded throughout the payment checkout process.
Once loaded, a banking trojan monitors the user’s online activities and intercepts credit card data during checkout. This data is then submitted to a Telegram channel, controlled by the attacker.
“The script hosted on cardkaze.com executes a malicious payload that, in turn, starts a watcher if specific conditions are met. For example, if a user is within the checkout page or if a credit card has a valid number and data combination,” Sasnauskas, Head of Security Research at Cybernews, explained.
The crooks bypassed automated detection by loading the stealer script from other websites. The code is also heavily encoded, obfuscated, and packed, making it difficult to read. The execution, delayed by random intervals along with specific requirements, ensures that the script has a minimal footprint and is pretty difficult to detect.
Only 4 out of 59 security vendors now flag the file as malicious, according to virustotal.com.
The hackers employed a no-infrastructure approach. The malicious payload is hosted and executed on hacked sites, and the free bot delivers the data instantly to a private group of criminals on every successful transaction with top-notch encryption.
Researchers found that the public key used to encrypt the information is linked to Magecart Group 4, which, in turn, is related to the Cobalt Group.
“We have also done a dynamic analysis of the checkout procedure and have confirmed that a call is indeed done to telegram API, to bot ‘@bot1002661085,’ containing none other but the stolen data, which consists of all information filled into the checkout form by the user,” said Vincentas Baubonis, Security Researcher at Cybernews. The information included:
- First/last name
- Phone number
- Full address
- Credit card number
- Expiration date
- Card verification number
Immediate action required
The main risk of this hack is that everlast.com customer data may be stolen, and it can be exploited to perpetrate financial fraud, leading to unauthorized transactions and financial loss.
Recent buyers from everlast.com should immediately contact their bank or credit card company to report the incident, consider blocking the card, and receive a new one. They should also review their account statements for suspicious unauthorized transactions and, if any, notify authorities, providing them with all the relevant information.
If you suspect that your personal information may have been exposed, consider placing a fraud alert on your credit report or credit freeze. A fraud alert warns potential creditors to verify your identity before issuing credit. Alternatively, a credit freeze restricts access to a credit report entirely. You can find more information here.
Scammer attacks or other social engineering attempts are also expected after a data breach.
“Be cautious with phishing emails or phone calls, do not click suspicious links or provide any personal information for unknown parties. Leaked data is often used to exploit unsuspecting victims further,” Baubonis said.
To resolve the cybersecurity incident, Everlast should determine the source of the skimming code and its access point (third-party, network, etc.), change any credentials that were possibly exposed and exploited during the attack, and notify law enforcement about the attack for documentation. Other, tighter security measures are also recommended for monitoring, code integrity checks, and regular updates.
Your email address will not be published. Required fields are markedmarked