In October 2024, the Green Bay Packers revealed that their official online retail store, packersproshop.com, was breached by a cyber attacker who injected a card skimmer script into the checkout page. Upon discovering the malicious code on October 23, the team swiftly disabled all payment and checkout features on the website. The Packers also engaged outside cybersecurity experts to investigate the breach’s scope and determine if customer information had been compromised. This swift action helped to mitigate further damage and led to an in-depth investigation.
The investigation uncovered that the skimmer script had been active on the checkout page between late September and October 2024. However, the attacker was unable to access payments made using gift cards, PayPal, or Amazon Pay, limiting the scope of the breach. The Packers also worked with the third-party vendor responsible for managing the website, requiring them to remove the malicious code and ensure the security of the website by refreshing passwords and patching vulnerabilities.
Dutch e-commerce security company Sansec, which had alerted the Packers about the breach, discovered that the attacker used a sophisticated technique to bypass the website’s security measures. The threat actor utilized a JSONP callback and YouTube’s oEmbed feature to inject the malicious code from an external site, js-stats.com. This code was designed to collect and exfiltrate sensitive information, including customer names, addresses, emails, and payment card details, from the site’s input fields.
While the Packers have not disclosed how many customers were affected or how the attacker infiltrated the website, they have offered three years of credit monitoring and identity theft protection services through Experian to impacted individuals. The Packers are advising affected customers to carefully monitor their bank and credit card statements for fraudulent activity. Additionally, they recommended reporting any suspicious identity theft or fraud attempts to their bank, state attorney general, and the Federal Trade Commission (FTC).
Reference:
