Security Experts:

Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks

In June 2018, Ticketmaster UK warned that some of its customers -- which it put at less than 5% of its global customer base -- may have had their payment information accessed by an unknown third-party. Ticketmaster laid the blame on third-party provider Inbenta, who laid the blame on Ticketmaster, who in turn had been warned by online bank Monzo in April that they might have been breached. Clearly, there was more to this story than was being told at the time.

RiskIQ researchers Yonathan Klijnsma and Jordan Herman have now filled in some of the gaps. An analysis of the events suggests that the breach was bigger and over a longer period than previously thought -- but it is only one part of a much larger and ongoing campaign to steal users' payment details. The researchers go further -- naming the unknown third-party culprit as the Magecart actors.

RiskIQ has been monitoring Magecart since 2015, and produced a report in 2016. Magecart uses a form of virtual card skimming, scraping payment details during online transactions and sending the card details to the criminals. Originally, the Magecart actors hacked retail stores directly. Now it seems to have evolved to breaching the suppliers of widely used third-party components.

This is what seems to have happened with Ticketmaster UK and Inbenta. Inbenta code was compromised with the addition of Magecart skimming software. "Inbenta explained that the module was custom built for Ticketmaster," write the researchers. "To modify the source of this module, the attackers would have needed access to Inbenta's systems in some way or form. We believe that Inbenta was breached, but there another possibility a Ticketmaster developer account was breached to access Inbenta. Unless the companies provide more transparency into the event, we will never know."

Ticketmaster UK has said that the Inbenta breach led to subsequent 'breaches' at their Ticketmaster International, Ticketmaster UK, GETMEIN!, and TicketWeb websites. RiskIQ research say this list should include at least Ticketmaster New Zealand and Ticketmaster Ireland as well; and adds that Ticketmaster Germany, Ticketmaster Australia, and Ticketmaster International were compromised by Magecart via a different third-party supplier of functionality -- in this case SociaPlus.

The Magecart campaign spreads far beyond just Ticketmaster and Inbenta and SociaPlus. "While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster," said Klijnsma. "We believe it's cause for far greater concern -- Magecart is bigger than any other credit card breach to date and isn't stopping any day soon."

The report highlights three other major component suppliers that it claims are currently breached by Magecart. The first, PushAssist, provides web analytics similar to Google Analytics. "Their server has been breached and is still serving analytics with the Magecart skimmer. The service boasts having over 10 thousand websites using its analytics platform... This means any website performing payment processing on their website that uses PushAssist is, right now, within reach of the Magecart skimmer."

The second is Clarity Connect, which provides a CMS for company owners to create an online presence with a website or web store. The Magecart actors have even left a message in the compromised code: 'If you will delete my code one more time I will encrypt all your sites: you very bad admins.' It seems, suggest the researchers, "the Magecart actors have broad access that they aren't afraid to use if the administrator removes their skimmer again. Clarity Connect's customers are affected by this injected skimmer code."

The third example is Annex Cloud, another analytics provider currently compromised by Magecart -- and again it appears as if the actors have broad access to the Annex Cloud servers.

"It appears that Magecart was able to access hundreds of other high-profile ecommerce sites during its credit card skimming campaign, which means the scale of this breach looks set to be unprecedented," comments Ross Brewer, VP & MD EMEA at LogRhythm. He notes that like many other hackers, the Magecart actors have switched their attention to the supply chain. They are, he says, "redirecting their attention to smaller, third party suppliers that can act as a gateway to more lucrative targets. As the saying goes, you're only as strong as your weakest link, which means if one of your third-party partners doesn't have the same commitment to data protection, any tools you have in place are essentially rendered useless."

Magecart, warn the RiskIQ researchers, "is an active threat that operates at a scale and breadth that rivals -- or possibly surpasses -- the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target. The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts."

San Francisco, Calif-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. This brought the total funding raised by the firm to $65.5 million.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.