Cyber Incident Victim: Intersport
Date:
Apr 2020
Location:
Croatia
Summary
A sporting goods retailer experienced a web skimming attack compromising its online checkout systems across multiple European markets, with malicious code intermittently active during the pandemic's shift to e-commerce. The breach impacted regional website versions in several Balkan countries, where attackers injected payment card-stealing scripts that were removed after each detection. While the company asserted no financial data was successfully intercepted, security researchers advised affected customers to monitor for fraudulent transactions following two separate intrusion periods. The incident occurred alongside similar breaches targeting other major retailers' online platforms during widespread physical store closures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Intersport web skimming incident occurred in the context of a broader Magecart campaign targeting major retailers during the COVID-19 pandemic. On April 30, 2020, attackers compromised Intersport's e-commerce infrastructure, injecting malicious JavaScript code designed to harvest payment card details entered by customers during checkout. The skimming operation specifically targeted regional versions of Intersport's website serving Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina – countries within the retailer's primary European market of over 5,800 physical stores. Security researcher Willem de Groot documented that Intersport initially removed the skimmer by May 3, but attackers successfully reinfected the systems on May 14. The malicious code operated by intercepting and exfiltrating customer payment information to attacker-controlled servers while maintaining the appearance of normal checkout functionality. This regionalized attack pattern suggested deliberate targeting of specific markets rather than indiscriminate deployment across Intersport's global digital properties.
Antivirus firm ESET detected the second compromise and notified Intersport, prompting complete removal of the skimming code within hours of the May 14 reinfection. Intersport issued a public statement acknowledging the security incident but asserted that "no payment card information were intercepted," without providing forensic evidence supporting this claim. Despite the company's denial, security researchers and ESET advised customers who made purchases during the active compromise periods (April 30-May 3 and May 14) to monitor bank statements for fraudulent transactions and contact their card issuers. The incident coincided with widespread COVID-19 retail closures that had forced Intersport to redirect customers to online channels, potentially increasing attack surface exposure. No specific customer impact numbers were disclosed, though the breach duration exposed multiple regional customer bases across two separate intrusion windows spanning approximately one week total.