Ticketmaster’s announcement back on June 28 that it was the victim of a payment-card breach ‘turns out to be part of a much larger card-skimming campaign by the threat group Magecart.
A whopping 800 e-commerce sites around the world have been targeted by the crooks so far, according to RiskIQ. Further, they have been using a wide range of software partners to get at the card information.
“The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world,” researchers said in a blog posted on Tuesday.
Digital card skimmers use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites, they explained. It was reported at the time of the Ticketmaster breach that hackers had placed one of these on various Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta. But that turned out to be just a breadcrumb leading to a larger discovery.
“Our investigation following the Inbenta breach uncovered evidence that the Inbenta attack was not a one-off, but instead indicative of a change in strategy by Magecart from focusing on piecemeal compromises to targeting third-party providers like Inbenta to perform more widespread compromises of card data,” analysts wrote.
The firm found that the group’s tactics have resulted in successful breaches of third-party providers including Inbenta, the SociaPlus social media integration firm, web analytics companies PushAssist and Annex Cloud, the Clarity Connect CMS platform and others, it said. RiskIQ also said that as a result, it found evidence the skimmer was active on a broader range of Ticketmaster websites than previously known, including Ticketmaster sites for Ireland, Turkey and New Zealand, among others. Originally, Ticketmaster said its’ UK site was primarily impacted.
“Ticketmaster Germany, Ticketmaster Australia and Ticketmaster International (previously mentioned in the Inbenta breach) were also compromised via another completely different third-party supplier of functionality,” the firm said.
The scripts for that supplier, SociaPlus, were modified on subdomains specifically set up for Ticketmaster as a customer, according to RiskIQ. Researchers said that they observed instances in December and January where the Magecart skimmer was injected into multiple Ticketmaster websites via SociaPlus scripts.
“Currently, those scripts seem to be clean, but we do not know if either Ticketmaster or SociaPlus are aware of this breach or if they’ve had discourse with each other about it,” RiskIQ said.
Ticketmaster did not immediately responded to requests for comment.
Further, RiskIQ found that the Magecart drop servers are multi-use and skimmed data is tagged with the website from which it was stolen. These command-and-control servers have been active since December 2016 – meaning that the scope of the activity is potentially vast when taken across all possible compromises. In the case of one highly-targeted campaign that RiskIQ dubbed ServerSide, nearly 100 top-tier victims, which the firm said are “mainly online shops of some of the largest brands in the world” were infected with the skimmer software.
“We can only guess how much payment data they were able to steal [from e-commerce providers in total], but we suspect they have an immense treasure trove of payment details,” researchers said. “Magecart is an active threat that operates at a scale and breadth that rivals—or possibly surpasses—the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target.”
In all, the Ticketmaster breach represents an evolution for the Magecart actors towards greater sophistication.
“Previously, they compromised individual websites and added new Javascript or links to remote Javascript files, but they seem to have gotten smarter – rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts and add their skimmer. In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly.”
Stephen Boyer, CTO and co-founder at BitSight Technologies noted that the situation points out once again the weakness of supply chains.
“Post the Ticketmaster breach, organizations must incorporate the lessons learned,” he said via email. “This breach once again highlights the increasing vulnerability in the extended ecosystem that comes through exploitation through third parties. Businesses need to continuously assess and monitor the security posture and performance of its partners in order to gain visibility in the changing threat landscape, and to prioritize risk mitigating actions.”