The Green Bay Packers American football team notified fans that a threat actor hacked its official online retail store in October 2024 and injected a card skimmer script to steal customers' personal and payment information. The National Football League team says it immediately disabled all checkout and payment capabilities after discovering on 23 October 2024 that the packersproshop.com website was breached.
"On October 23, 2024, we were alerted to malicious code inserted on the Pro Shop website by a third-party threat actor," the Packers’ Director of Retail Operations, Chrysta Jorgensen, explains in breach notification letters sent to potentially affected individuals. "Immediately upon learning this, we temporarily disabled all payment and checkout capabilities on the Pro Shop website and began an investigation."
The NFL team also hired outside cybersecurity experts to investigate the incident's impact and find if any customer information had been accessed. The investigation revealed that the malicious code inserted in the checkout page could steal personal and payment information between late September and early October 2024. The Packers say the attacker could not intercept information from payments made using a gift card, Pro Shop website account, PayPal, or Amazon Pay. "We also immediately required the vendor that hosts and manages the Pro Shop website to remove the malicious code from the checkout page, refresh its passwords, and confirm there were no remaining vulnerabilities," Jorgensen added.
"Based on the results of the forensic investigation, on 20 December 2024, we discovered that the malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website between September 23-24, 2024 and October 3-23, 2024."
Dutch e-commerce security company Sansec, which notified Packers of the breach, found that the skimming attack used a JSONP callback and YouTube's oEmbed feature to bypass the Content Security Policy (CSP). "In this attack, a script was injected from https://js-stats.com/getInjector. This script harvested data from the site's input, select, and textarea fields, exfiltrating the captured information to https://js-stats.com/fetchData," Sansec said in a report published on 31 December 2024.
Personal and payment data impacted in the breach includes information entered on the Pro Shop website when purchasing, such as names, addresses (billing and shipping), email addresses, credit card types, expiration dates, and verification numbers. The Packers has yet to share the number of customers impacted by this data breach or how the threat actor could hack into its Pro Shop website to inject the card skimmer script.
The NFL team now offers those affected by this breach three years of credit monitoring and identity theft restoration services through Experian and advises them to monitor their account statements for any fraudulent activity. Those who observe suspected incidents of identity theft or fraud attempts should immediately report them to their bank and relevant authorities, including their state attorney general and the Federal Trade Commission (FTC).
Two years ago, the San Francisco 49ers also notified more than 20,000 individuals that their personal information (including Social Security numbers) was stolen in a February 2022 ransomware attack claimed by the Blackbyte cybercrime gang.
See: https://redskyalliance.org/xindustry/blackbyte-ransomware
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments