Ticketmaster breach ‘part of massive card-skimming campaign’

July 12, 2018 TH Author

The Ticketmaster breach was not a one-off, but part of a massive digital credit card-skimming campaign.

Threat intel firm RiskIQ reckons the hacking group Magecart hit Ticketmaster only as part of a massive credit card card hacking campaign affecting more than 800 e-commerce sites.

Magecart has evolved tactically from hacking sites directly, to targeting widely used third-party software components. According to RiskIQ researchers, Magecart likely breached the systems of Inbenta and SociaPlus, both third-party suppliers integrated with Ticketmaster websites, and added to or replaced custom JavaScript modules with their digital credit card skimmer code.

Malicious scripts injected into e-commerce websites can record the credit card data unwitting customers enter into online payment form before uploading the data to a server controlled by crooks.

Magecart

Magecart is well-known to RiskIQ, which has been tracking the group’s mendacious activities since 2015. The group’s credit card skimming attacks have been continuously ramping up in frequency, sophistication, and impact for years, according to the threat intel firm.

RiskIQ researchers found that other suppliers, web analytics provider PushAssist, CMS Clarity Connect, Annex Cloud, and likely many others, were also compromised by the Magecart hacking crew.

RiskIQ has been tracking a highly-targeted Magecart campaign dubbed SERVERSIDE, which has used access to these third-party components to target victims including some of the world’s largest online brands.

“While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster,” said Yonathan Klijnsma, a threat researcher at RiskIQ. “We believe it’s cause for far greater concern—Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon.”

Many publicly reported breaches are wrongly interpreted as individual events but are in reality part of the SERVERSIDE campaign.

According to Ticketmaster’s official statement, the breach impacted Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 until 23 June 2018. RiskIQ researchers found evidence the skimmer was active on additional Ticketmaster websites including Ireland, Turkey, and New Zealand since as early as December 2017.

RiskIQ researchers also found that the Command and Control server used in the Ticketmaster attack has been active since December 2016.

More details of RiskIQ’s latest research into the Magecart hacking crew – together with indications of compromise – can be found in a blog post here.

El Reg asked firms named in the research – Ticketmaster, Inbenta, CMS Clarity Connect (via CMSWire), PushAssist and Annex Cloud – to comment. We’ll update this story as new information comes to hand.

Andrew Bushby, UK director at Fidelis Cybersecurity, commented: “This research not only shows that the Ticketmaster breach is much worse than we first thought, but it also exposes the very real security issue with third-party suppliers. Many organisations often learn of a breach through a third-party, or by other organisations that have been hit. It is therefore critical that companies have a better understanding of when sensitive data is leaving the enterprise – or else threat actors such as Magecart will wreak havoc on the network and endpoints.”

Sponsored: Minds Mastering Machines – Call for papers now open