Cyber Incident Victim: National Baseball Hall of Fame
Date:
Nov 2018
Location:
United States of America
Summary
The National Baseball Hall of Fame experienced a cybersecurity breach where attackers injected malicious MageCart code into its online store, targeting payment information submitted by customers during purchases. The compromised data included names, addresses, and credit or debit card details with CVV codes. The malicious script, designed to mimic legitimate analytics code, monitored and exfiltrated form submissions from the checkout page. While the attack exclusively impacted online transactions over a six-month period, the script was later identified as inactive but linked to a known malicious domain previously associated with similar campaigns. The incident exposed customer payment data to potential fraudulent use, though physical museum transactions remained unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The National Baseball Hall of Fame's online store at shop.baseballhall.org was compromised by attackers who injected malicious MageCart script code into the website between November 15, 2018, and May 14, 2019. The breach was discovered by the organization on June 18, 2019, when they determined an unauthorized third party had planted code designed to harvest payment card data from customers completing transactions. According to a notification filed with California's security breach reporting system, the script actively monitored and exfiltrated personal information entered during checkout processes on the affected e-commerce platform. The stolen data included customers' full names, billing addresses, credit or debit card numbers, and CVV security codes. The compromise exclusively impacted individuals who made online purchases through the web store during the six-month intrusion period, with no evidence of physical point-of-sale systems at the Cooperstown museum being affected.
Forensic analysis revealed the attackers disguised their card-skimming script as a Google Analytics tracking code, hosting it on the deceptive domain www.googletagstorage.com – a name mimicking legitimate Google infrastructure but actually resolving to a Lithuanian IP address associated with previous cybercriminal operations. The malicious code specifically targeted form submissions from the checkout page's billing section, identified by the "co-billing-form" HTML element. Though the script had been removed by the time of public disclosure, security researchers preserved evidence through Archive.org snapshots showing the operational skimmer. The Hall of Fame notified potentially affected customers directly, advising them to contact financial institutions regarding fraudulent charges and monitor account statements. While the attack methodology bore similarities to techniques attributed to MageCart Group 4 in prior cybersecurity reports, no formal attribution to that specific threat actor was confirmed in this incident.