Cyber Incident Victim: Amerisleep
Date:
Apr 2017
Location:
United States of America
Summary
AmeriSleep experienced a prolonged MageCart attack where malicious scripts were injected into its checkout pages to steal customer payment card data during transactions. The attackers utilized eight distinct domains to host skimming scripts over several months, repeatedly adapting their infrastructure. Following a temporary cessation, the company was later targeted again via a fraudulent GitHub repository hosting additional malicious code, and subsequent attacks employed another domain where the skimmer remained active despite notification attempts. These incidents exemplify persistent efforts by threat actors to compromise e-commerce platforms through evolving tactics aimed at harvesting sensitive financial information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Amerisleep incident involved a prolonged MageCart attack targeting the mattress company's e-commerce platform between April and October 2017. Threat actors first compromised the website on April 13, 2017, by injecting malicious JavaScript from the domain magescripts.pw into checkout pages. This script intercepted payment card details during customer transactions and exfiltrated the data to attacker-controlled servers. Over the next six months, attackers cycled through eight distinct malicious domains to maintain persistence, including cdnmage.com (active May 2-5, 2017), configsysrc.info (June 5, 2017), and magejavascripts.com (August 24-31, 2017). Each domain hosted skimming scripts designed to blend with legitimate site functionality. The final observed skimmer domain in this campaign, js-cloud.com, operated from October 14-16, 2017, after which the malicious code was removed from Amerisleep's systems.
This card-skimming operation directly compromised payment information submitted through Amerisleep's online checkout during the seven-month breach window. RiskIQ researchers confirmed attackers successfully exfiltrated credit card data throughout the active skimming periods, though the exact number of affected customers remains undisclosed. The company did not publicly acknowledge the breach during the 2017 campaign period. Following the October 2017 skimmer removal, the website remained clear of MageCart activity until December 2018 when attackers resumed operations through new infrastructure. Security researchers observed the skimming scripts remained active on Amerisleep's site as late as January 2019 despite multiple notification attempts, indicating potential gaps in detection and response capabilities during both attack phases.