Cyber Incident Victim: Greenworks
Date:
Jun 2020
Location:
United States of America
Summary
A sophisticated self-destructing payment card skimmer compromised the U.S. website of Greenworks, a power tool distributor, stealing customer payment card details, account credentials, and personal information during checkout. The malicious script employed advanced evasion tactics, including triggering only on mouse movement to avoid automated detection, hiding itself from browser developer tools, and self-destructing if tampered with by researchers. Hosted on a cryptocurrency-purchased domain, the skimmer remained active post-discovery despite researcher notifications, potentially impacting thousands of customers due to a significant recent increase in website traffic. The attack leveraged obfuscated code with anti-analysis mechanisms similar to previously documented skimming campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 8, 2020, researchers at RapidSpike identified a sophisticated credit card skimming operation targeting the U.S. website of Greenworks Tools (greenworkstools[.]com), a distributor of battery-powered home and garden tools operating since 2007. The malicious script, designed to steal payment card data during checkout, employed multiple evasion techniques including DOM manipulation to conceal itself from browser developer tools and an 'onmouseover' event trigger to avoid detection by automated security systems. Attackers injected an empty element into the website footer, creating an overlay across the checkout page to intercept customer data. The skimmer exfiltrated credit card numbers, CVV codes, expiration dates, account credentials, phone numbers, and delivery addresses to a server at the domain congolo[.]pro, registered anonymously using Bitcoin. The script featured advanced anti-analysis measures, including self-destruction if modified by researchers—triggered by any change to its character count—which would display an error message and disable its malicious functionality. This behavior mirrored the 2019 Pipka skimmer documented by Visa, though with enhanced obfuscation. RapidSpike confirmed the skimmer remained active as of June 10 despite notification attempts to Greenworks.
The compromise occurred amid a significant traffic surge on Greenworks’ U.S. platform, with monthly visitors rising from 45,000 in February 2020 to 350,000 by May 20. While exact transaction volumes were unavailable, researchers estimated thousands of customers who made purchases between June 8 and June 10 were at risk of financial data theft. The skimmer’s persistence for at least two days post-discovery amplified potential impacts, though no confirmed data misuse was reported in the source material. Greenworks did not publicly acknowledge the breach or deactivate the malicious script by the article’s publication date, and the company did not respond to inquiries from RapidSpike or BleepingComputer. Customers were advised through media reports to contact financial institutions to cancel payment cards used on the site during the exposure window. The attackers’ use of cryptocurrency for domain registration and script anti-tampering mechanisms complicated attribution and forensic analysis efforts.