Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

Fans of the Green Bay Packers football franchise have been tackled by a payment-card skimmer; people who bought merch at the Packers Pro Shop website last fall may have had their personal data harvested.

In a data-breach notification letter to the 8,514 "cheeseheads" affected, the NFL juggernaut noted that its security staff was alerted to the code on Oct. 23, just as the team was gearing up to play the Jacksonville Jaguars in Week 8 of the 2024 season.

"We were alerted to the presence of malicious code inserted on the Pro Shop website by a third-party threat actor," reads the notice, which added that the team immediately asked the outside vendor that hosts the store to take the e-commerce site offline. "The malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website."

Fortunately, the skimmer was active in only two windows: Between Sept. 23-24, and Oct. 3-23, 2024. And, fans who used a gift card, a Pro Shop website account, PayPal, or Amazon Pay weren't exposed.

Cybercriminals were able to score on everyone else though, collecting names, addresses (billing and shipping), emails, and full payment-card information, according to the notice.

Related:Ransomware Targeting Infrastructure Hits Telecom Namibia

According to an analysis from Sansec, a Dutch e-commerce security company that notified Green Bay about the attack, the threat actors abused a JSONP callback and YouTube's oEmbed feature, which allows users to embed content from one website into another website. Ultimately, the skimmers were able to bypass the Content Security Policy (CSP) for the Pro Shop website, and "a script was injected from https://js-stats.com/getInjector. This script harvested data from input, select, and text area fields on the site, exfiltrating the captured information."

A Pick 6 for Magecart & Other Cybercrime Carders?

While there's no public attribution available for the incident, the cyberattack has all the hallmarks of a classic "Magecart" attack. Magecart is an umbrella term for a loose confederation of groups that steal credit cards by exploiting a vulnerability within a website to inject a malicious piece of code, which simply exfiltrates any data the users put into checkout pages on e-commerce sites.

Lately, these types of attacks have been on the rise, with scores of groups beyond classic Magecart actors running skimmer plays, researchers warn; the Packers are just the latest victim in the pass rush of maliciousness.

Related:CISA: Third-Party Data Breach Limited to Treasury Dept.

"There's no solid theory about why there's been an uptick in skimmer attacks,” says Javvad Malik, lead security awareness advocate at KnowBe4. "It could be a case of low-hanging fruit, a lot of e-commerce transactions over the holiday period when people are searching for deals, and also the ease through which some third parties can be compromised without triggering alarms."

According to the Recorded Future Payment Fraud Intelligence group, digital e-skimming will remain a top threat to e-commerce going forward, with bad actors relying on easy-to-use skimmer kits and persistent CMS security vulnerabilities. Plus, smaller security organizations (including those used by many sports franchises) are at particular risk.

"Payment Card Industry Data Security Standard (PCI DSS) requirements will continue aiming to improve security, but the impact will remain limited as many small and medium-sized retailers fail to adhere," said Boris Ivanov, principal malware researcher at Recorded Future, via email. "This gap will worsen the already serious problem of attackers exploiting vulnerable platforms and compromising payment data."

Meanwhile, Malik notes that sports teams might be in the cybercrime sites as a top target in part due to fan exuberance.

Related:China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List

"Technically, sports organizations probably don't have any different challenges than others," he says. "What makes them attractive to criminals though is the fact that they have a loyal fan base that is willing to spend money on tickets and merchandise. Often during busy periods when tickets are released, there is a rush, so people will often ignore any security warnings in a bid to complete their purchase."

The Payment-Skimmer Ground Game Is Hard to Defend Against

Skimmers are also having a moment because the back-end complexity of the code running e-stores is on the rise, which offers cover for malware infestation and makes defense more porous.

"These are difficult to detect by nature, especially when these attacks take place by compromising third-party components, which can end up in organizations' blind spots," explains Malik. "Complexity and the reliance on many third parties is perhaps the biggest challenge to keep modern Web applications secure."

In the Packers' case, the Pro Shop is hosted by a third party, which complicates things even further.

"In the case of organizations outsourcing many components and hosting, security responsibility cannot be outsourced, so many organizations end up with a lack of skilled resources within the organization to keep an eye over the end-to-end security — something that is often fueled by budget constraints," Malik notes.

Ultimately, e-commerce organizations of all stripes, including those catering to Wisconsin NFL fans, need to balance security with business agility and the user experience, which creates a series of challenges. Technical complexity, resource constraints, skills shortages, and organizational culture can all affect how organizations approach Web security, Malik cautions.

"It's about embedding security into the very fabric of the business, rather than treating it as an afterthought," he says. "Some of the things you can do include implementing robust content security policies, undertaking regular security audits and penetration testing, employing real-time monitoring that can detect unusual code or behavior patterns, and finally, educating staff and fostering a culture of cybersecurity."

Dane Sherrets, staff innovation architect at HackerOne, notes that, from a coding standpoint, user input should be considered suspect until proven otherwise.

"Firstly, it's important to remind everyone never to explicitly trust user input and to treat all such inputs as potentially malicious," he says. "The Green Bay Packers incident, in particular, highlights the threat of exploiting a loophole in the site's CSP."

The Green Bay Packers did not immediately return a request for comment.