Malwarebytes Says PlayBack Now Customer Sites Compromised
While most payment card skimming attacks zero in on ecommerce sites for consumers, a newly discovered attack targeted PlayBack Now, an online video conferencing firm, Malwarebytes reports.
About 40 PlayBack Now customers, including the National Association of Realtors, American Diabetes Association and the American College of Physicians, have been affected by the scam, but the number of their clients that may have had data compromised is not known. Information stolen includes cardholder names, credit card numbers, expiration dates and the card’s CVV, according to Malwarebytes.
“The typosquatting is meant to deceive site administrators reviewing the page’s source code, rather than shoppers typing in the wrong address,” Jerome Segura, director of threat intelligence at Malwarebytes, tells Information Security Media Group. “The whole idea is to inject a malicious line of code using a domain name that looks like the real one. If you’re not paying too much attention you might think that this link is legitimate.”
When a PlayBack Now customer purchased a course or conference recording via an infected website, their personal and credit card data was leaked to criminals via the same malicious domain housing the skimmer, according to Malwarebytes.
Malwarebytes disclosed the following information on the fake website the fraudsters used to facilitate skimmer installation:
- Domain name: playbacknows.com;
- Creation Date: 2020-09-21T20:22:10.00Z;
- Registrar: NAMECHEAP INC;
- Registrant Name: WhoisGuard Protected;
- Registrant Street: P.O. Box 0823-03411;
- Registrant City: Panama.
Accessing PlayBack Now
Malwarebytes says it’s possible the attackers may have used the Golang brute force tool, or the initial breach may have exploited a Magento vulnerability.
The researchers noted thousands of Magento content management systems were attacked after the release of the Golong exploitation tool (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).
A spokesperson for PlayBack Now did not immediately reply to a request for comment.