Cyber Incident Victim: Rooster Teeth Productions
Date:
Dec 2019
Location:
United States of America
Summary
Rooster Teeth Productions experienced a cybersecurity breach where attackers compromised its online store, injecting malicious code that redirected customers to fraudulent payment pages during checkout. This tactic harvested shoppers' personal and payment information, including names, contact details, addresses, and credit card data. Unlike typical Magecart skimming attacks, this operation utilized geographically tailored phishing domains to impersonate legitimate payment processors, capturing submitted data before redirecting users back to the genuine checkout page. The malicious script was identified and removed promptly, but not before exposing customer data. The incident highlighted evolving attacker methodologies blending script injection with deceptive redirection techniques to steal sensitive financial details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 2, 2019, Rooster Teeth Productions discovered a breach affecting its online store, where attackers injected malicious code earlier that same day. The compromised code redirected customers during the checkout process—specifically after they entered shipping details—to a spoofed payment webpage controlled by the attackers. This fraudulent page prompted users to submit payment card details, along with their name, email address, telephone number, and physical address, before redirecting them back to the legitimate store payment page to re-enter their information. The attackers harvested data from users who completed the fake form. Rooster Teeth identified and removed the malicious code on December 2, limiting the exposure window to a single day. The company subsequently notified affected customers via data breach letters and offered a complimentary one-year subscription to Experian IdentityWorks for credit monitoring. Security researchers noted the breach impacted shoppers globally, with attackers deploying region-specific phishing pages mimicking legitimate payment processors.
The attack diverged from conventional Magecart operations, which typically involve covert card-skimming scripts embedded in checkout flows. Instead, this incident employed overt redirection to external phishing domains, including payment-mastercard.com, google-analytics.top, and sagepay-live.com, among others listed by Malwarebytes researcher Jør DMEM Segura. These domains impersonated trusted payment services like Google Pay or Commonwealth Bank, dynamically adapting to the victim’s geographic location. RiskIQ analyst Yonathan Klijnsma linked the breach to tactics described in his "Full(z) House" report on evolving digital crime groups. Although the data exfiltration method differed from Magecart, the outcome remained identical: attackers captured payment details and personal information. Rooster Teeth’s public disclosure did not specify the number of affected customers or confirm whether stolen data was misused post-breach. The company’s response focused on breach notification, malicious code eradication, and identity protection offerings without disclosing technical details about the initial intrusion vector or attacker attribution.