Cyber Incident Victim: MyPillow

MyPillow.com experienced multiple MageCart-based payment card skimming attacks between October and November 2018, according to forensic analysis by RiskIQ. Threat actors first compromised the site in October 2018 by registering the typosquatting domain mypiltow.com and injecting malicious JavaScript scripts from this domain into MyPillow's checkout pages. This initial attack was short-lived but was quickly followed by a more sophisticated campaign using the deceptive domain livechatinc.org, designed to mimic the legitimate LiveChat service already integrated into the website. The malicious scripts operated by capturing customer payment information during online transactions and exfiltrating data to attacker-controlled servers. RiskIQ observed the final skimming activity on November 19, 2018, with no subsequent attacks detected through their monitoring channels. MyPillow confirmed the security incident to BleepingComputer in December 2018 but stated there was no evidence of actual customer data compromise despite the confirmed presence of skimming infrastructure.

The attackers employed domain spoofing and reverse proxy techniques to evade detection, registering domains that closely resembled legitimate services used by the bedding retailer. RiskIQ's investigation revealed two distinct attack waves separated by brief intervals, with the threat actors adapting their infrastructure between campaigns. While the exact number of affected customers remains undisclosed, the extended exposure window spanning nearly two months created significant risk for payment card fraud. MyPillow did not publicly disclose whether forensic investigations confirmed data theft, maintaining their position that no information was confirmed as compromised. The company's incident response included removing the malicious scripts and presumably hardening their web infrastructure, as no further skimming activity was observed after November 2018 according to security researchers.