MyPillow, AmeriSleep websites were hit with hacks stealing credit card data

Monsters under the bed aren't real, but hackers who target mattress and pillow sales are.
Hackers planted malware to steal credit card information from customers at two major sleep retailers, researchers have found.

The two companies, MyPillow and Amerisleep, are popular pillow and mattress companies, boasting millions of dollars in sales on their websites. What was not on their websites was breach disclosures for skimmers that security researchers at RiskIQ discovered, going back to April 2017.

The skimmers were hidden in scripts on their websites, injected by Magecart, the world's largest credit card skimming campaign, said Yonathan Klijnsma, a head researcher at RiskIQ. Magecart is a massive hacking operation targeting major stores online, with victims like Ticketmaster UK, NewEgg and British Airways in the past.

"Anything that has card transactions and higher traffic volumes will be interesting for these groups," Klijnsma said.

The hackers look for openings at online shops and then inject scripts that steal people's credit card information when they type it in to make their purchases. In some cases, Magecart will target third-party tools like chat support plug-ins to infiltrate thousands of shops at the same time.

For MyPillow and Amerisleep, Magecart hackers had been on their websites for several months, though the two companies didn't issue public statements or warnings to their customers that they could have been affected by the hack.

MyPillow's CEO Mike Lindell provided a statement confirming the breach and said investigators "found no indication that the breach was effective or that any customers' information was compromised."

Amerisleep didn't respond to a request for comment.

MyPillow gets about a million visitors each month, while Amerisleep gets about 500,000 visitors each month. While that doesn't mean that every visitor is buying something, even a small amount would be a substantial theft from the hackers.

"Let's say it's 2 percent of visitors buying something. It's still significant," Klijnsma said.

MyPillow was first hacked last October, after the attackers registered the domain name "mypiltow.com" on Oct. 1. Hackers then injected a script into the pillow shop's website, hosting it on the fake URL.

Because the URLs looked so similar, it'd be harder for a security team to spot in the code. The script was active and stealing customers' credit card numbers, but it was removed in two days, RiskIQ said.
But even after it was removed, Magecart hackers still had access to MyPillow's website, researchers said. On Oct. 26, the attackers registered the domain name "livechatinc.org," taking advantage of the existing customer support service that MyPillow uses.
They then put the skimmer in code hosted on the new URL and injected it again on MyPillow's website. That skimmer was active until Nov. 19, RiskIQ said.

"With MyPillow, they tried to blend in. They could have inserted any random domain and seen how it worked," Klijnsma said. "They're spending more time trying to blend in. Not every group does this." 

Lindell said MyPillow has since increased security on its website and reported the attack to the authorities. He said MyPillow didn't make a public announcement because it didn't believe any information was stolen.
Magecart's attacks on Amerisleep go back even earlier, with the first compromise occurring in April 2017. The skimmer was active on the mattress company's website for six months, ending October that year.
Magecart's malware remained off of Amerisleep's shop until last December, with another skimmer active on their website, RiskIQ said. This skimmer would lie dormant and run only if it was on an active payment page, researchers found.

They first tried injecting the skimmer through a Github page, which they registered as "amerisleep.github.io." Like the attack on MyPillow, the Github page was an attempt to blend in and hide.

"If you set up a new domain, people might notice. But if someone sees Github, they might not be as suspicious," Klijnsma said.

RiskIQ worked with Github to remove the fraudulent account, and the attackers set up another domain to hide the skimmer in.
The domain that the skimmer was hosted on has since been taken down, but it's still in the code on Amerisleep's website, RiskIQ said. Klijnsma said he made multiple attempts to warn Amerisleep but hasn't heard back from the company.

Magecart's attacks continue to spread across the internet, with new ways to hide skimmers in online shops.

"Our fight is taking all this down and their fight is setting all of it up as fast as possible so they can generate more revenue," Klijnsma said.