Cybercriminals siphon credit card numbers from Oregon Zoo website

Cybercriminals were able to steal the credit card information of more than 100,000 people this year after taking over parts of a website run by the Oregon Zoo.

The Portland-based zoo filed documents with regulators on Friday that outlined a months-long campaign against the payment platform the organization uses on its website. 

In late June, zoo officials discovered suspicious activity within the online ticketing service and decommissioned the website to begin an investigation. 

By July 22, the zoo learned that “an unauthorized actor redirected customers’ transactions from the third-party vendor who processed online ticket purchases, potentially obtaining payment card information from December 20, 2023, to June 26, 2024.” 

“As a precaution, Oregon Zoo reviewed all transactions from this period to identify anyone whose payment card information may have been affected,” the zoo said. “The personal information that could have been subject to unauthorized access includes name, payment card number, CVV and expiration date.”

The Oregon Zoo told regulators in Maine that 117,815 people were affected in total. 

Federal law enforcement agencies were notified of the incident and Oregon Zoo is providing all victims with one year of credit monitoring services. 

The zoo filed breach notifications with regulators in Oregon and Texas as well. The Oregon Zoo is the latest major zoological organization to face attack by cybercriminals after the Toronto Zoo and Tampa Bay Zoo both dealt with incidents over the last 12 months. 

Payment-skimming malware infections have been a tried and true method for cybercriminals to earn money for years. In skimming attacks, hackers embed tools or malware onto e-commerce sites that allow them to siphon credit card information from online stores during the checkout process. The tactic has long been a problem for popular internet sellers.

In December, Europol joined law enforcement agencies from 17 countries in warning 443 online sellers that the payment card data of their customers had been compromised through e-skimmers.

In July 2024 alone, Recorded Future found 3,799 e-commerce domains suffered an e-skimmer infection

Threat actors posted 18.6 million card records for sale on dark web carding shops in July, with researchers collecting “8.8 million freely posted full card data records in July 2024.”

The payment fraud industry has shown signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine, according to an annual payment fraud report from Recorded Future. The Record is an editorially independent unit of Recorded Future.

Researchers found 119 million cards posted for sale on dark web carding shops, with an estimated $9.4 billion in preventable fraud losses for card issuers and $35 billion in potential chargeback fees for merchants and acquirers in 2023.

In 2022, researchers said e-skimmers led to 45.6 million compromised payment card records posted for sale on dark web platforms.