MageCart breach OXO in Targeted Attack

A United States utensil manufacturer has fallen victim to a MageCart breach that spanned over a 2 year period compromising customer information.

MageCart is an umbrella term for groups that utilise online card skimming techniques. This consists of malicious JavaScript being injected into the targeted website, most commonly the checkout page. In order to steal customer information such as personal and credit card details. 

The website will operate as normal, and customers will be unaware what is happening. Once a user submits their data into the online forms, it is sent to a server that the malicious users are operating. This information is then exfiltrated and used to conduct fraudulent activity, as well as being sold to other malicious users on the dark web to make a monetary gain.

The card skimming group have attacked a United States kitchen utensil manufacturer, OXO. MageCart were able to sustain persistence for numerous periods over 2 years, with the breach potentially exposing customer and payment information.

Below are the time phases that MageCart compromised OXO servers;

  • June 9, 2017 – November 28, 2017
  • June 8, 2018 – June 9, 2018
  • July 20, 2018 – October 16, 2018

Forensic investigators discovered on December 17 2018, that personal information that customers entered into, during the above time periods may have been compromised.

OXO believe the attempt to compromise the data may have been ineffective; however they are notifying customers as a matter of caution. A third-party security firm were hired by OXO to fix any vulnerabilities that were present, and investigate their servers.

For affected customers, OXO is offering customers free credit monitor services through Kroll – OXO will be sending users a member ID that is required to access the free service.

Collected information was sent to a remote URL located at, which can be used by the attackers to retrieve the data.

URL Information:

  • IP Address:
  • Country: United States
  • Region: Georgia
  • City: Atlanta
  • ISP: Namecheap Inc.

On June 9th 2017, the source code on OXO’s checkout page showed JavaScript being loaded into the page from – which is the same domain as to where the customer and payment information was being externally sent to.

MageCart have been responsible for attacks on British Airways, TicketMaster, Sotherby’s Home and many more over the course of 2018 – therefore it is likely that there will be continued activity from the group throughout 2019.

"I Think This Breach Affects My Information - What Do I Do?"

Change Your Password – In cases this, it is always best to be safe than sorry, change your password that you use to login to your Marriott account. If you have reused this password across other websites (which is not recommended!), change these passwords too! If multi-authentication is offered, include it, this provides additional security on to your account.

Monitor Your Bank Balances – In the situation that you payment information has been compromised, carefully check your banking balance to ensure that all of your transactions are you, and not fraudulent! Keep receipts and check these against your account! 

Watch Out For Phishing – Malicious users will grasp the opportunity to get hold of large amounts of email addresses in order to create phishing campaigns to try and catch users out. Monitor your inbox and do not fall for phishing emails,  they can be extremely sophisticated. If you require more help on identifying phishing emails, click HERE

Share This Post:

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on reddit
Share on whatsapp
Share on email
Do NOT follow this link or you will be banned from the site!