Warner Music Group suffered three-month long Magecart attack
Warner Music Group has revealed that between 25 April and 5 August this year, hackers compromised a number of its US-based e-commerce websites and stole the personal information of users who purchased items on the compromised sites.
Warner Music Group is the world’s third-largest music recording company after Universal Music and Sony Music, employing over 3,500 people in 56 countries and owning popular labels such as Elektra Records, Warner Records, Parlophone, Atlantic Records, and Warner Chappell Music. The company also enjoys global licensing partnerships with Spotify and Mattel.
In a data breach incident notice filed with the Attorney General of California, Warner Music Group said that between 25 April and 5 August this year, unidentified hackers compromised a number of its e-commerce websites that were hosted and supported by an external service provider. The hackers then planted skimming code into the websites to exfiltrate information that was entered by visitors on the sites’ checkout pages.
“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorized third party. This could have included your name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV, and expiration date).
“While we cannot definitively confirm that your personal information was affected, it is possible that it might have been as your transaction(s) occurred during the period of compromise. If it was, this might have exposed you to a risk of fraudulent transactions being carried out using your details,” the company said.
“Upon discovering the incident we immediately launched a thorough forensic investigation with the assistance of leading outside cybersecurity experts and promptly took steps to address and correct the issue. We also notified the relevant credit card providers as well as law enforcement, with whom we continue to cooperate.
“To protect you further, we are offering identity monitoring services through Kroll for 12 months, free of charge,” it added. Warner Music Group subscribers who made purchases on the affected sites between 25 April and 5 August can avail of free identity monitoring services by 11 December this year.
Commenting on the latest web-skimming attack suffered by Warner Music Group, Raif Mehmet, VP EMEA at Bitglass, said payment card-skimming malware continues to be a security challenge for retailers around the globe.
“British Airways, Newegg, and now Warner Music Group, have all been victims of Magecart’s malware, highlighting the need for security solutions which monitor for vulnerabilities and threats, across all devices and applications, in real time. With these capabilities, retailers can be proactive in detecting and thwarting breaches before they happen, ensuring that their customers’ sensitive information is protected,” he added.
The use of malicious code to steal the personal and financial information of people who make purchases on e-commerce websites is a highly profitable source of income for hackers across the globe. In the past couple of years, a number of cyber crime groups have emerged who solely rely on the use of credit card skimming codes to make quick money and to monetise stolen data.
In July, security firm Gemini Advisory said that a new hacker group known as the Keeper Magecart group targeted as many as 570 e-commerce domains across 55 countries since April with card-skimming malware. 85% of the targeted domains operated on the Magento CMS.
“Operating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves e-commerce merchants vulnerable to a variety of different attack vectors.
“Over the past six months, the Gemini team has uncovered thousands of Magecart attacks ranging from a simple dynamic injection of malicious code using a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images.
“The criminals behind this threat constantly evolve and improve their techniques to prey on unsuspecting victims who do not emphasize domain security,” Gemini said. The firm noted that the hacker group targeted e-commerce sites that boasted anywhere from 500,000 to over one million visitors each month and the group’s revenue exceeded $7 million.