National Baseball Hall of Fame Hit By Payment Card Stealing Attack

The web site for the National Baseball Hall of Fame in Cooperstown, NY was hacked to include a malicious MageCart script that stole the payment information of customers who purchased items on the site.

According to a notification filed with California's security breach notification service, the National Baseball Hall of Fame's web site had a malicious script injected into their online store between November 15, 2018 and May 14, 2019.

"The National Baseball Hall of Fame (“Hall of Fame”) values and respects the privacy of your information, which is why we are writing to advise you of a recent incident that may have involved some of your personal information," the notification alerted affected users. "On June 18, 2019, we learned that some of your information could have been obtained by an unauthorized third-party that placed malicious computer code on the Hall of Fame web store (shop.baseballhall.org) e-commerce system. The code may have targeted certain personal information of customers who made a credit card purchase via the web store between November 15, 2018 and May 14, 2019."

The information that could have been stolen includes a customer's name, address and credit or debit card information, including the CVV code.

It should be noted that this attack only affected customers who purchased items from the web site and not in the museum itself.

If you purchased anything from the National Baseball Hall of Fame web site located at https://baseballhall.org/, you should report the situation to your credit card company and monitor your statement for fraudulent purchases.

Payment information stolen by a MageCart attack 

Attackers gained access to the Hall of Fame's web site and injected a malicious script on the site that would monitor for submitted payment information and then forward it to the attackers.

While the script is no longer active on the web site, BleepingComputer was able to locate the code in a snapshot on Archive.org.

As you can see from the image below, the attackers inserted what appears at first glance to be a Google Analytics script. If you look more closely, though, the associated script is being read from www.googletagstorage.com. 

While the domain indicates it belongs to Google, www.googletagstorage.com is actually not registered to them and resolves to an IP address located in Lithuania. This same host has also been seen used in other attacks in the past as shown by the IOCs on AlienVault and IBM's Xforce Exchange.

The script is built to look like a legitimate Google Analytics script, but if you analyze it you can see that it is monitoring the shop's billing form that has an ID of "co-billing-form".

While there is no confirmation that this is the same group, the methods used in this attack are similar to the MageCart Group 4 that was previously described in a report by RiskIQ.