MyPillow and Amerisleep wake up to Magecart card theft nightmare

The US firms may have a few sleepless nights over the security breaches.

Data breach leaves hundreds of POS units infected with malware Nearly 140 bars, restaurants, and coffee shops all over the US have had POS systems infected with malware.

Sleep may become a precious commodity for the cybersecurity teams tasked with dealing with the aftermath of two data breaches believed to be the work of Magecart.

MyPillow and Amerisleep are both popular mattresses and bedding merchants in the United States. While their websites boast the best deals around for a proper night's sleep, what is lacking is an acknowledgment of two separate security incidents potentially impacting their customers -- incidents which RiskIQ says took place as far back as 2017.

Magecart is a prolific hacking group with a particular fondness for compromising online payment systems and using card-skimming malware to steal customer credentials. 

The hacking group is believed to be responsible for data breaches occurring at companies including British Airways, Newegg, Ticketmaster, Feedify, and Shopper Approved.

In a blog post on Wednesday, RiskIQ researcher Yonathan Klijnsma said the company documents "hundreds" of Magecart incidents on a daily basis, but the majority are not made public.

The two impacting MyPillow and Amerisleep, however, are of note.

MyPillow was targeted in October 2018. Magecart was able to compromise the company's e-commerce and sales platform for the purpose of skimming and stealing credit card information submitted by customers.

The threat group also registered a typosquatting domain, mypiltow.com, and used Let's Encrypt to implement an SSL certificate. The domain's name, which could easily be missed by those lured into visiting the website, is close enough to appear legitimate and the use of such domains is a common tactic used by hackers in the quest to steal online credentials.

"Based on what RiskIQ sees typically, this type of domain registration typosquatting means that the attackers had already breached MyPillow and started setting up infrastructure in its name," Klijnsma said.

See also: EU government websites infested with third-party adtech scripts

A script injection attack then took place on the legitimate MyPillow domain. The script, hosted on the squatting domain, contained JavaScript code and a heavily obfuscated skimmer.

By the end of the month, Magecart had moved on to stage two. A new website was registered, livechatinc.org, which squatted as the live support service Livechat used by MyPillow. The malicious script now firmly entrenched in MyPillow was then modified to contain a new script tag which mimicked the genuine tag used by the live support service.

The skimmer was last detected as active on November 19, 2018.

MyPillow CEO Mike Lindell confirmed the breach to sister site CNET, saying that a subsequent investigation "found no indication that the breach was effective or that any customers' information was compromised."

Customers were never informed. In AmeriSleep's case, customers have also been kept completely unaware of any Magecart compromise -- and this breach is still ongoing.

TechRepublic: Vulnerability in SoftNAS Cloud allows attackers to bypass authentication

AmeriSleep's incident appears to be more severe and dates back to April 2017. A script was injected into the firm's website, a skimmer was implemented, and fake domains were also used to host the malicious code underpinning the attack.

It is believed the first skimming operation ran from April -- October 2017. Amerisleep was then clear of any skimmers until December 2018, when the company, once again, fell prey to the threat group.

In the second round of skimming, Magecart used a new setup by registering GitHub pages under Amerisleep's name. The account's address, amerisleep.github.io, hosted the code required to continue compromising the website.

While novel, the use of a service such as GitHub ensured that the page was quickly removed and Magecart went back to using their own squatter domains.

In January, the hackers then changed tactics once again, potentially as a means to blend in, by only activating the script on payment pages rather than every Amerisleep page.

The cybersecurity firm says that while the skimmer domain has now been taken offline, the injection is still present and live.

"Attempts to inform Amerisleep through their support desk and directly via email has gone unanswered," RiskIQ says.

There has been no response from AmeriSleep for requests to comment at the time of writing.

RiskIQ says there are no indications of a slowdown in Magecart activities and SMBs may be the most at risk of compromise. Previous research conducted by security researcher Willem de Groot suggests that one in five Magecart-infected stores become reinfected quickly, with an average reinfection time of just over ten days.

CNET: The Huawei controversy: Everything you need to know

"With the increased efficiency of credit-card skimming groups, the time it takes for a large number of consumers to have their data stolen, seemingly out of nowhere, is decreasing quickly," the firm added. "Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves."

Previous and related coverage