32,000 Customer Credit Cards Exposed in Gaming Store Hack

SCUF Gaming International recently sent emails to customers, alerting them that a previous data breach at the company has put their credit cards at potential risk and that customers should closely monitor their accounts.

What Happened?

In February, the SCUF website was hacked and attackers planted credit card skimming software that steals users’ credit card information. The attackers first gained access to the website’s backend using stolen login credentials from a third-party vendor. Then they inserted the Javascript-based malicious script on SCUF Gaming’s online store.

After two weeks, SCUF Gaming was alerted by its payment processor to abnormal card activities on the customer credit cards linked to their online store. The company immediately took action, and a month later, after a thorough investigation into their third-party software, they successfully removed the malicious script from the website.

Who is Affected by This Attack?

In a data breach notification email sent to impacted individuals, SCUF confirmed that the account holders who processed PayPal orders were unaffected. The breach was limited to credit card transactions from February 3, 2021 to March 16, when they removed the malware. The gaming company said that,

"the potentially exposed data was limited to cardholder name, email address, billing address, credit card number, expiration date, and CVV.”

Despite the quick action taken by the company, about 32,645 individuals were still affected by the attack. They did not include this information in the emails but revealed it to the Office of the Maine Attorney General.

How is SCUF Responding?

In the October 22 emails sent out to customers, SCUF Gaming advised that customers monitor their account and credit information. The company suggested that customers request new payment card numbers from their providers as a safety measure.

“This communication does not mean that fraud did or will occur on your payment card account,” SCUF Gaming clarified in the mail, seeking to keep their customers informed of the potential long-term risks they faced.

What is Web-Skimming?

Web-skimming attacks are also called e-skimming, form jacking, credit card skimming, or “Magecart” attacks. Here, hackers insert malicious code into a website and use it to access and extract data from any HTML form the users fill. This allows them to harvest multiple credit card details and personal information. The threat actors later sell the stolen data on hacking forums or use it to carry out fraud or identity theft schemes.

This scheme is called a Magecart attack because it is the modus operandi of Magecart, an alliance of hacker groups that target online shopping cart systems (usually the Magento systems) to steal payment details.

You can protect yourself from web-skimming attacks by:

1. Identifying and ensuring the security of all your third-party e-commerce and online advertising vendors.
2. Configuring a firewall frequently and adequately.
3. Using patch management software to scan for web vulnerabilities effectively.
4. Monitoring suspicious code changes on websites.
5. Monitoring all third-party scripts on your site.
6. Deploying a bot management solution to prevent browser-based bot attacks.
7. Real-time website monitoring of network requests.
8. Strengthening single-factor passwords with multi-factor authentication.
9. Automated website privacy audits and alerts.
10. Regularly vet your shopping cart pages and ad server code.
11. Encrypting your website data.
12. Implementing client-side web skimming solutions like “ScriptSafe,” “NoScript,” and so on.