Card Not Present Fraud
Fraud Management & Cybercrime
Company Says It’s Migrating to a Different Payment System, Adding 2FA Requirements
The U.S. e-commerce website, PulseTV, recently disclosed a data security breach involving over 200,000 customer credit card details.
In a notification letter shared with the Office of the Maine Attorney General, the company says that the information including customer’s name, address, email address, payment card number, expiration date, and card security code (CVV) provided during checkout are compromised.
“On March 8, VISA informed us that our website (www.pulsetv.com) was a common point of purchase for some unauthorized credit card transactions and that the website may have a possible compromise. Shortly after that, we conducted malware scans, checked our security settings, and cooperated with VISA’s requests for information,” the company says.
A spokesperson for PulseTV was not immediately available to comment.
Investigation on Progress
After initial investigation, PulseTV says it did not find any ongoing compromise involving customers’ credit cards, nor any customer complaints regarding credit card transactions.
However, a few months later law enforcement agency contacted the e-commerce firm and notified about additional payment card compromises that appeared to have originated from pulsetv.com.
“We then started working with legal counsel with an expertise in cybersecurity. Legal counsel also hired nationally-recognized cybersecurity experts to assist with the investigation,” it says. “On November 18, 2021, our investigator learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard.”
PulseTV says after having communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between Nov. 1, 2019 and Aug. 31, 2021 may have been affected, but the investigators were not able to verify that the website was the cause of the unauthorized transactions.
“However, in an abundance of caution, PulseTV is notifying customers, including you, who purchased products on our website during that time period so that they can take steps to protect and secure their credit card information,” the company says.
PulseTV also announced that they are migrating to a different payment system and adding two-factor authentication requirements for all internal devices. The platform plans to utilize end-point detection and response tools to provide greater network visibility and threat mitigation.
“We are also working with the payment card networks to keep them informed and cooperating with the ongoing investigation of the incident by law enforcement. Finally, we are providing notice of this incident to appropriate state regulators, consistent with our compliance obligations and responsibilities,” the company says.
The company warned customers, who purchased from the site between Nov. 1, 2019 and Aug. 31, 2021 to remain vigilant of fraud and identity theft and recommends them to regularly review their account statements and monitor free credit reports for any unauthorized activity.
“If you believe your payment card information may have been compromised, we strongly encourage you to contact your payment card company and/or financial institution and request that the card be cancelled. You should report any incidents of suspected identity theft to your local law enforcement and state Attorney General,” the company says.
In April, Visa’s Payment Fraud Disruption team reported that cybercriminals are increasingly using web shells to establish command and control over retailers’ servers during payment card skimming attacks (see: Visa Describes New Skimming Attack Tactics).
The web shells enable fraudsters conducting digital skimming attacks on e-commerce sites to establish and maintain access to compromised servers, deploy additional malicious files and payloads, facilitate lateral movement within a victim’s network and remotely execute commands, Visa said.
The most common methods for deploying a web shell are malicious application plug-ins and PHP code, Visa reported.
Visa reached its conclusions after studying 45 digital skimming attacks in 2020. In February, Microsoft reported spotting 140,000 web shells per month on servers from August 2020 to January 2021, which it said is almost twice the number from the same period the year before. These web shells, however, were not being used for retail attacks.
Last year, in August, Michigan State University said it was investigating how hackers were able to steal credit card data from the school’s online shopping site over a nine-month period (see: University Investigates Skimming of Credit Card Data).
The skimming, which took place between October 2019 and June, appears to have affected about 2,600 customers of the university’s online store, shop.msu.edu, according to the school.