Forbes becomes latest victim of Magecart attack

Magecart group has been found stealing payment data on the websites of Forbes Magazine.

Security researcher, Troy Mursch announced on Twitter that Forbes had been compromised by the Magecart credit-card-skimming malware on Wednesday around 4:30am, UTC.

Hackers had apparently injected malicious JavaScript onto the Forbes magazine websites allowing the credit card information of customers stolen, if they had purchased while the site was compromised.

Once identified, Mursch reportedly sent numerous emails to Forbes to alert them of the Magecart infection, as well as reporting the problem to the domain owner, however Mursch has not heard back from them.

Mursch has confirmed that the malware has been removed, and the payment page on the website has been taken down.

A Forbes spokesperson told EI Reg on Wednesday that at this current moment, it appears that the hackers do not have anyone’s financial credentials, however recent subscribers of Forbes have been advised to check their credit card information for signs of fraudulent.

Mike Bittner, associate director or digital security and operations, The Media Trust said:

“Threat actors have used several methods of attacking websites. There’s a trend, though, towards attacking the payment page supply chain, which offers the most bang for their buck because third parties offer direct links to a larger number of customers, including high-profile companies that would otherwise be harder to compromise.

“These pages are soft targets for several reasons. They run third-party code supplied by vendors who operate on very tight – sometimes negative – profit margins and must scrutinize every expense. Such businesses too often fail to give security and privacy the priority they require. Second, third-party code executes outside the website owner’s infrastructure, making them hard, if not impossible, to monitor without the right tools and expertise. Third, in many publications, these payment pages do not fall under the website operators’ revops teams, who make pivotal decisions on security and privacy.

“The bottom line here is that publishers should carefully vet all their parties for security and privacy and conduct frequency audits to ensure they have adequate security measures in place. Because every one of their third parties is likely not only vulnerable but under attack.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.