Breach Notification , Card Not Present Fraud , Fraud Management & Cybercrime
Blowout Cards Issues Card-Skimming Breach AlertHacker Skimmed Payment Card Details Using Modified PHP File
Blowout Cards has issued a security alert to customers, warning that their payment card details may have been compromised after an attacker hacked its website and customers began reporting related card fraud.
Owned by Frontline Collectibles Inc. in Sterling, Virginia, Blowout Cards is a site devoted to the buying, selling and trading of sports cards and trading cards.
"Information compromised include the names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiration dates, and card verification codes for customers who checked out via our website shopping cart in January 2017 through April 20th, 2017," the security alert reads.
The alert was issued just four days after Blowout Cards learned that it may have been breached. The company said it immediately launched a related data breach investigation, bringing in a third-party digital forensic investigation firm to assist.
"Once we became aware of this incident, we immediately launched an investigation to find and eliminate the problem," according to the alert. "An exploit in the form of a modified payment .php file was uncovered which allowed the intruder(s) to skim credit card/debit card information as customers checked out via our website."
Malicious PHP File Expunged
Blowout Cards says the malicious code has been expunged from its website, and that it's locked down the flaw that the attacker exploited. "We have also engaged a third-party data security firm who is in the process of examining our network. They will assist our website development and server host companies in implementing additional measures to strengthen the security of our system and our processes," the alert says.
The company says PayPal users were not affected.
"We deeply regret that this has incident has occurred and we sincerely apologize," the security alert continues. "In the coming weeks, we look forward to communicating with you again full details on what we are doing to ensure the safety of your information and what steps we are taking to prevent this from happening again in the future."
Thomas Fish, president of Blowout Cards, tells Information Media Group that the April 24 alert was not only posted to the company's site but also "emailed to all those potentially compromised."
He declined to comment on how many customers might have been affected.
But the company recommends that anyone who used a payment card on its website anytime from January to April 20 keep an eye on their card statements for any suspicious-looking transactions. If customers do see anything that appears to be fraudulent, Blowout Cards says they should immediately report it to their card provider.
Blowout Cards couldn't be immediately reached for comment on what exact vulnerability had been exploited by its attacker to access its site, the e-commerce platform that was affected or whether it was fully patched.
According to one of the site's users with the handle donaldz, however, there are indications that the company may have been using an outdated version of the Zen Cart open source shopping cart software. The PHP-based system interfaces with a MySQL database and also uses HTML components. The Zen Cart project also maintains a wiki offering advice for anyone who thinks their installation may have been hacked.
Customers Reported Fraud
Evidence of the Blowout Cards breach appears to have first surfaced April 19, when a user named "Force77" posted to the company's forums, asking if the site had recently been hacked. Other users also began weighing in with their own reports of fraud - involving both small and large amounts of money - apparently after they had use their card at the Blowout Cards site.
"Not sure where to put this, but I ordered something from Blowout in January. Used a credit card that I rarely use - only other place I use is NYTimes subscription," "ForceChange77" wrote. "Somebody got the card number and started charging all kinds of fraudulent charges. Has there been a problem recently?"
In response, on April 20 a Blowout Cards forum administrator said in a forum post that it was investigating a potential breach. On April 21, an "important message - attention customers" link to that forum post was added to the company's homepage.
But some customers questioned why the company hadn't made the security alert more obvious on the site's homepage, as well as issued an the alert via social media, not least because related card fraud attempts appeared to still be ongoing (see Customers Question Breach Alert Etiquette at Blowout Cards).
As of early April 25, no notice of the breach had appeared on either the Blowout Cards Twitter account or Facebook page.
Breach Notification Timing
In general, data breach experts say that - regulations permitting - it's best for organizations to not issue a breach notification immediately, if waiting a little while longer will help them tell customers exactly what happened, as well as what they can do to protect themselves (see Data Breach Notifications: What's Optimal Timing?).
But the rules are different for breaches that come to light publicly first, as happened with retailer Target, for example, which began issuing incremental updates on its 2013 breach investigation after related reports of card fraud came to light.