Cybersecurity analysts RiskIQ have identified the hacker group Magecart as the origin of the skimmer code placed on Ticketmaster websites, and suggested the number impacted by their theft of payment details is likely significantly worse than first thought.

Ticketmaster is a subsidiary of Live Nation, the world’s largest entertainment ticketing sales and marketing company. Last month we reported how potentially millions of Ticketmaster customers’ payment details had been accessed by a hacker group.

RiskIQ state in their report that Magecart not only perpetrated this attack, but have been operating a massive credit card skimming operation that has affected over 800 e-commerce websites and could be the largest theft of credit card details to date.

The cybersecurity company declined to name the 800 e-commerce sites to Computer Business Review.

RiskIQ have discovered the the command and control server where all of the skimmed data was being sent has been active since December 2016. This means that Magecart have been running this particular skimming campaign for some time.

“We can only guess how much payment data they were able to steal, but we suspect they have an immense treasure trove of payment details,” RiskIQ wrote.

The attack vector for these breaches is through the malicious insertion of code into third party software providers.

Inbenta a third party software provider was the entry point for the malicious attack on Ticketmaster’s systems.

In their report RiskIQ note that: “Magecart actors breached their systems and, in separate instances, either added to or completely replaced a custom JavaScript module Ibenta made for Ticketmaster with their digital skimmer code.”

“The Magecart actors did not modify a singular script. They modified multiple, indicating a broader reach of access.”

In 2016 RiskIQ identified this type of skimming activity and discovered it in e-commerce websites, Magneto Commerce, Powerfront CMS and Opencart.

Second Third Party

RiskIQ say that they have also identified another third party software provider that contains the skimmer which was inserted onto Ticketmaster websites:

“We observed instances in December 2017 through January 2018 where the Magecart skimmer was added to one of the SociaPlus scripts and subsequently injected into multiple Ticketmaster websites.”

“We found evidence the skimmer was active on a broader range of Ticketmaster websites including Ireland, Turkey, and New Zealand among others,” RiskIQ added.

Ross Brewer, VP & MD EMEA of LogRhythm told Computer Business Review in an emailed statement that: “These findings indicate there was a lot more to the recent Ticketmaster data breach than we first thought.”

“It appears that Magecart was able to access hundreds of other high profile e-commerce sites during its credit card skimming campaign, which means the scale of this breach looks set to be unprecedented.”

 

RiskIQ’s identifies the Magecart Skimmer code which was insert onto Ticketmaster website.

 

Ross Brewer added: “Third party data breaches are a growing problem for businesses. Hackers are persistent. They’re redirecting their attention to smaller, third party suppliers that can act as a gateway to more lucrative targets. As the saying goes, you’re only as strong as your weakest link, which means if one of your third party partners doesn’t have the same commitment to data protection, any tools you have in place are essentially rendered useless.”

“Threat detection solutions such as User and Entity Behaviour Analytics (UEBA) are fast becoming the most valuable tools in a security team’s toolbox as they are able to recognise legitimate behaviour and thwart unauthorised access before any data has been compromised.”