News broke yesterday evening that The American Cancer Society’s online store has become the latest victim of credit card stealing malware. A security researcher found the malware on the organisation’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page. The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.
Commenting on this, Sam Curry, chief security officer at Cybereason, said “The hackers have a machine that is ready to grind up identities, and they will point it at the industries, countries, and organisations that give them the fastest path to the most money with the least cost and risk. Not-for-profit organisations often have the least resources for support functions, like security, and in the old days of hacking were considered inappropriate targets. Once upon a time, hackers didn’t attack “muggles,” to borrow from JK Rowling’s Harry Potter lexicon. Not so anymore with the almighty dollar dominating the dark side. Everyone can have vulnerabilities and weaknesses, but the American Cancer Society breach should be a wake-up call to everyone: if you aren’t improving your security posture and hygiene constantly, it’s a question of when, not if, the great credit card fraud machinery of organised cybercrime comes for you.”
Jonathan Knudsen, senior security strategist at Synopsys, added “The sabotage of the American Cancer Society shows that no organisation is immune from challenges of cybersecurity. Every organisation has something of value. Cybersecurity is all about finding the balance between that value and the effort required to steal or attack it. The goal is to make the cost of an attack greater than the value that can be stolen. Cyber-attacks are particularly popular because the risks are low, the level of effort is often low, and rewards are high. The best thing defenders can do is ratchet up the level of effort for an attack to the point where potential attackers turn their attention elsewhere.”