Cyber Incident Victim: Puma Australia Pty Ltd
Date:
Apr 2019
Location:
Australia
Summary
A sportswear retailer's Australian website was compromised by credit card skimming malware linked to the Magecart operation, resulting in theft of customer names, addresses, and payment details transmitted to a Ukrainian server. Security researchers identified sophisticated malicious code disguised as legitimate scripts that dynamically adapted to multiple payment systems, featuring support for over 50 global payment gateways indicating coordinated international hacking efforts. The incident exemplified Magecart's broad targeting of e-commerce platforms, leveraging undetectable skimmers that evade consumer and merchant safeguards until after data theft occurs.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2019, security researcher Willem de Groot of Sanguine Security identified malicious code operating on Puma Australia’s e-commerce website. The script, embedded within the site’s payment page, captured customers’ credit card numbers, names, and addresses as they entered the information during transactions. Forensic analysis revealed the stolen data was transmitted to a server registered in Ukraine. De Groot attributed the attack to Magecart, a collective term for multiple hacking groups employing similar card-skimming techniques against online retailers. The malware exploited vulnerabilities in Puma Australia’s web infrastructure, aligning with Magecart’s established pattern of targeting high-traffic commercial sites. Prior victims included British Airways, NewEgg, and the Atlanta Hawks, though the Puma incident demonstrated Magecart’s continued evolution. De Groot emphasized that consumers typically remained unaware of such compromises until fraudulent charges appeared, while merchants lacked effective detection tools.
The skimming code discovered on Puma’s site exhibited advanced capabilities compared to earlier Magecart variants. It concealed itself using generic script names like “optEmbed” and “selectDuration,” evading conventional security reviews. Unlike most skimmers tailored to specific payment systems, this variant supported over 50 global payment gateways, enabling rapid deployment across diverse e-commerce platforms. De Groot’s proprietary detection tools identified the same malware on 77 additional online stores, suggesting a coordinated international effort. Puma’s status as a leading global sportswear brand—with $4 billion in 2018 sales and significant growth in the Asia/Pacific region—made it a high-value target. The breach underscored Magecart’s operational sophistication, including the development of cross-platform adaptability that reduced attackers’ need for bespoke code per victim. No public statements from Puma Australia regarding containment or remediation were documented in the source material at the time of reporting.