Hackers hit Atlanta Hawks shop with malware that steals credit card information

There's a technical foul on the Hawks fan shop, says a security analyst. The team says it's investigating.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
San Antonio Spurs v Atlanta Hawks

The Atlanta Hawks may be good at defense on the court, but a security researcher found a different story online.

Getty Images

The Atlanta Hawks need to play better defense online after a security researcher discovered malware at the basketball team's online store.

The merchandise website for the Hawks, the 12th-ranked team in the NBA's Eastern conference, was infected with malware designed to steal credit card information, according to Willem de Groot, lead forensic analyst at Sanguine Security.

De Groot said he first spotted the malware April 20 and noted it was stealing the names, addresses and credit card numbers of Hawks fans. He said he notified the team on Tuesday.

"We take these threats seriously and are investigating," a Hawks spokesperson said. The malware is no longer active on the site, the representative said.

The malware represents the latest example of a credit-card skimming scam that's gained steam over the last few years. During the last several months, NewEgg, British Airways and Ticketmaster UK were among the victims of the same type of attack, perpetrated by Magecart, the world's largest credit card-skimming operation, made up of different hacking groups.

De Groot said Magecart, which targets popular online stores with security vulnerabilities, also hit Hawks Shop, a site for Atlanta Hawks fans to buy hats, jerseys and other team gear.

"The frequency of hacked stores has gone down somewhat. However, the volume of stolen transactions apparently has gone up," de Groot said. "They seem to have shifted from hacking many small stores (automated breaches) to manual breaches of larger, more profitable targets."

The Atlanta Hawks shop boasted 7 million visits one year, and has more than 1.2 million followers on Twitter.

De Groot said he was able to spot the malware embedded on the Hawks Shop website through a Magecart detection engine he developed. The engine searches online stores for active payment skimmers. He said the tool finds between 50 and 150 stores compromised per day.

He tested out the malware by using fake credentials to order an Atlanta Hawks hat. De Groot said he found code on the website that was logging his keystrokes as he entered the numbers in the payment form. The data was sent to a domain name first registered March 25 and hosted by a provider popular with online criminals.

"The Magecart signature theft is to steal payment data, right when a customer enters them. Because at this stage, nothing has been encrypted yet, and the typical customer has no way of knowing that his data get siphoned off," he said in a message.

It's still unclear how the hackers gained access to the Hawks Shop website, but de Groot said it's likely they didn't have to. In previous attacks, Magecart was able to compromise third-party tools and use them to infiltrate the shops. 

Originally published April 23, 2:31 p.m. PT
Update, 6:27 p.m. PT: Adds that the malware is no longer active.