Cyber Incident Victim: Black Phoenix Alchemy Lab
Date:
May 2018
Location:
United States of America
Summary
A cyberattack targeted an online retailer's main website via malicious code injection into the checkout page handling credit card transactions processed through AuthorizeNet. The breach potentially exposed payment card details, billing addresses, contact information, and security codes for fewer than 150 customers who made purchases during a specific window. While stored credit card data was absent due to the retailer's practices, attackers created a fraudulent administrative account, raising concerns about broader unauthorized access to customer profiles. The organization responded by immediately neutralizing the malicious code, forcing password resets, migrating to a secured server infrastructure, removing unauthorized accounts, and initiating law enforcement engagement alongside direct notifications to potentially affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Black Phoenix Alchemy Lab (BPAL) website experienced a security breach between May 1 and May 16, 2018, marking the first such incident in the company's 16-year history. Attackers injected malicious code into the checkout page segment handling credit card data bound for AuthorizeNet, though the exact intrusion timeline remained undetermined. The compromise exclusively affected customers using the AuthorizeNet payment gateway during this window, with PayPal transactions, in-person convention sales, and purchases through affiliated sites (BPTP, TAL, Amazon, Etsy) remaining unaffected. On May 16, developers discovered suspicious code during routine monitoring, prompting an immediate sitewide password reset as a precaution while forensic analysis commenced. Subsequent investigation revealed the code's purpose was harvesting credit card information, leading to full neutralization of the threat. Forensic evidence indicated attackers created an unauthorized administrator account, potentially enabling access to additional customer data beyond payment details.
The breach potentially exposed credit card numbers, expiration dates, security codes, cardholder names, billing addresses, telephone numbers, and email addresses for approximately 150 customers. BPAL confirmed no historical payment data was compromised, as the company did not store credit card information locally. Response measures included immediate code eradication, server migration to a managed infrastructure environment, removal of the fraudulent admin account, and comprehensive security audits. The organization initiated direct notifications to at-risk customers and reported the incident to AuthorizeNet, the FBI, and Los Angeles law enforcement. Security enhancements included implementing stricter intrusion detection systems and additional hardening protocols. No evidence confirmed actual data exfiltration, though the malicious code's design indicated attempted harvesting. The public disclosure occurred via formal notice on May 18, 2018, following two days of internal verification and compliance with legal notification requirements.