Security & Fraud

Malicious Malware Detected On American Cancer Society’s eComm Site

Credit Card Stealing Code Inserted Into American Cancer Society’s Website

A security researcher discovered that credit card-stealing malware was inserted into the code of the American Cancer Society’s online store, according to TechCrunch.

Willem de Groot discovered the malicious code buried deep, and hidden to look like analytics code. It was meant to scrape credit card numbers for sale on the dark web or other malicious activities.

There have been similar attacks on Newegg, AeroGarden, British Airways and Ticketmaster. The attackers are a hacking group called Magecart, and they’ve been known to attack others in similar ways.

The code is meant to send the numbers to a third-party server, but it was malformed and put in twice. De Groot decoded the information and discovered the web address of the server. The domain is registered in Moscow, but the website that exists only as a decoy page.

The code was removed on Friday (Oct. 25), and it’s not currently known how many people were affected by it. TechCrunch recommends anyone who used a credit card on the American Cancer Society website to contact their payments provider. 

There are at least six different groups operating as Magecart, according to TechCrunch, and security researcher Yonathan Klijnsma, who works at RiskIQ, has been tracking them for a while.

He said they’re a “thriving criminal underworld that has operated in the shadows for years.”

“Magecart is only now becoming a household name,” he added.

The first Magecart group started as early as 2014, when it would set its sights on thousands of sites and then store the stolen data. Groups 2 and 3 started skimming credit cards, and group 4 hacked more than 3,000 sites and grabbed as many card numbers as it could.

Groups 5 and 6 did some of the more high-profile attacks, with the latter responsible for British Airways and Newegg. If the malicious code is discovered, the perpetrators simply move on to another site.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.