Cyber Incident Victim: Feedify
Date:
Aug 2018
Location:
United States of America
Summary
Magecart attackers compromised Feedify, a customer engagement service, to inject payment card skimming code into a script served to hundreds of e-commerce websites. The attackers repeatedly modified the script after initial removal efforts, maintaining persistent access to Feedify's servers. Security researchers warned affected vendors to disable the compromised script until the breach was fully resolved, noting its presence on nearly 300 sites, though not all required payment data entry. This incident exemplified Magecart's shift toward targeting third-party script providers to simultaneously compromise multiple online platforms, mirroring tactics seen in other high-profile breaches where customized skimming code and infrastructure were deployed to evade detection during payment processing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 17, 2018, attackers associated with the Magecart group compromised Feedify, a customer engagement service provider. The attackers repeatedly modified a JavaScript file served by Feedify to embed payment card skimming code. This script was delivered to approximately 300 e-commerce websites utilizing Feedify’s services, though not all sites necessarily processed payment card information. The compromise was first identified by an individual using the alias Placebo, who publicly reported the issue via Twitter. Following this notification, Feedify removed the malicious script. However, the attackers retained access to Feedify’s servers and repeatedly reintroduced the skimming code, indicating persistent unauthorized access. Security researcher Kevin Beaumont advised affected e-commerce vendors to immediately remove the compromised Feedify script link from their websites until the breach was fully resolved. As of September 13, 2018, Feedify had not issued any public statement acknowledging the incident or detailing remediation efforts.
Magecart, a term used by researchers to describe multiple threat groups engaging in digital skimming operations, historically targeted individual e-commerce platforms before shifting focus to third-party service providers like Feedify to maximize reach. Prior to the Feedify incident, Magecart actors executed high-profile attacks against TicketMaster and British Airways. In the British Airways case, attackers customized their skimming script to evade detection and deployed infrastructure mimicking legitimate payment processing systems. RiskIQ researcher Yonathan Klijnsma clarified that while British Airways utilized a third-party script, the compromise occurred through direct modification of self-hosted files on the airline’s servers, distinguishing it from the Feedify incident where attackers compromised a third-party’s infrastructure to distribute malicious code. The Feedify breach demonstrated Magecart’s continued adaptation in targeting supply chain vulnerabilities to harvest payment data across multiple victims simultaneously.