Cyber Incident Victim: Forbes
Date:
May 2019
Location:
United States of America
Summary
Hackers compromised the Forbes subscription website by injecting a Magecart script that harvested customers' payment card details—including card numbers, expiration dates, and CVV/CVC codes—alongside personal information like names, addresses, phone numbers, and emails. The obfuscated skimmer exfiltrated data via the WebSocket protocol to an attacker-controlled server, later disabled through domain abuse mechanisms. This incident aligns with Magecart's broader pattern of targeting both high-profile entities and smaller retailers through digital skimming attacks, leveraging compromised infrastructure to steal sensitive financial data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 15, 2019, cybersecurity researchers identified a Magecart payment card skimmer operating on Forbes Magazine’s subscription website (forbesmagazine.com). Attackers injected an obfuscated script into the site’s checkout page designed to harvest payment card details and personally identifiable information from customers during transactions. The malicious script collected card numbers, expiration dates, CVV/CVC verification codes, names, addresses, phone numbers, and email addresses. Bad Packets Report co-founder Troy Mursch publicly disclosed the compromise, confirming the script’s presence and functionality. Analysis of the deobfuscated code revealed the attackers used the WebSocket protocol to exfiltrate stolen data to a command-and-control server under their control, leveraging bidirectional communication capabilities described in IETF RFC6455 standards documentation. The domain receiving exfiltrated data was subsequently disabled through Freenom’s abuse API, which enabled rapid takedown of malicious infrastructure.
Magecart threat actors, active since at least 2015, historically targeted numerous high-profile organizations including Ticketmaster, British Airways, OXO, and Newegg prior to the Forbes incident. This attack occurred amid broader Magecart activity in spring 2019, including late-April compromises of hundreds of Magento stores via skimmer scripts hosted on GitHub repositories and an intrusion against the Atlanta Hawks NBA team’s online shop documented by Sanguine Security. The Forbes skimmer shared operational similarities with these campaigns but contained execution flaws that intermittently prevented script functionality, inadvertently limiting data theft from some visitors. No Forbes-specific remediation actions were detailed in available reporting beyond the domain takedown, though the continued presence of the obfuscated script on the website at the time of disclosure indicated potential delays in complete script removal. The incident exemplified Magecart’s persistent focus on e-commerce platforms and third-party script vulnerabilities to harvest financial data at scale.