This article originally appeared in Infosecurity Magazine on May 16, 2019.
Forbes was reportedly back online but went down again at 3:30 pm UTC after reports that the site was hit with the Magecart card-skimming malware, according to security researcher Troy Mursch.
Mursch tweeted on May 15 that Forbes had been infected with the Magecart malware, adding that customers who made a purchase while the site was compromised likely had their credit card information stolen. In a later tweet, Mursch confirmed that the malware had been removed.
Hackers apparently injected obfuscated JavaScript, which could be linked to the ongoing supply chain attacks that have been reported by Willem DeGrootthis week. Forbes is, according to The Register, a customer of Picreel, which has been the victim of a supply chain attack.
Mursch reportedly sent several emails in an attempt to alert Forbes to the Magecart infection and reported the problem to the domain owner, yet he has not heard back from Forbes, The Register said.
“Threat actors have used several methods of attacking websites. There’s a trend, though, towards attacking the payment page supply chain, which offers the most bang for their buck because third parties offer direct links to a larger number of customers, including high-profile companies that would otherwise be harder to compromise,” said Mike Bittner, associate director of digital security and operations, The Media Trust.
“These pages are soft targets for several reasons. They run third-party code supplied by vendors who operate on very tight – sometimes negative – profit margins and must scrutinize every expense. Such businesses too often fail to give security and privacy the priority they require. Second, third-party code executes outside the website owner’s infrastructure, making them hard, if not impossible, to monitor without the right tools and expertise. Third, in many publications, these payment pages do not fall under the website operators’ rev ops teams, who make pivotal decisions on security and privacy.
“The bottom line here is that publishers should carefully vet ALL their third parties for security and privacy and conduct frequent audits to ensure they have adequate security measures in place. Because every one of their third parties is likely not only vulnerable but under attack.”
