Bad news for home gardeners: criminals might have your credit card data.
AeroGrow, the maker of the at-home garden kit AeroGarden, said in a letter to customers that its website had credit card scraping malware for more than four months.
The company said anyone who bought something through its website between October 29, 2018 and March 4, 2019 had their credit card number, expiration date and card verification value — also known as a security code — stolen by the malware. In most cases, that’s all someone would need to make fraudulent purchases,
It’s the latest in a string of high-profile malware attacks targeting websites in the past year. Attackers will find a vulnerability often in the website running a company’s shopping cart and inject code that scrapes credit card data once it is entered into the form on the site. That data gets siphoned off and sent to a server controlled by the attacker. Because the code is running on the page, there’s no discernible or obvious way to tell if a website is affected.
One of the more well-known hacker groups includes Magecart, a collective of different hackers of varying skillsets, which attack websites large and small. In the past year, the hacker groups have targeted Ticketmaster, British Airways, and consumer electronics giant Newegg — and many more.
AeroGrow didn’t say how many customers were affected. We’ve reached out and will update if we hear back.
Meet the Magecart hackers, a persistent credit card skimmer group of groups you’ve never heard of