Ticketmaster hack part of digital skimming campaign: 800 e-commerce sites hit

News by SC Staff

The recent breach of Ticketmaster is now believed to be part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world.

The recent breach of Ticketmaster is now believed to be part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world, rather than a one-off event as initially reported.

Researchers at RiskIQ report that Magecart evolved tactically from hacking sites directly to targeting widely used third-party components enabling them to hit up to 10,000 or more victims instantly. Magecart is believed to have likely breached the systems of Inbenta and SociaPlus, both third-party suppliers integrated with Ticketmaster websites, and added to or replaced custom javascript modules with their digital credit card skimmer code.

Digital card skimmers steal credit card data via scripts injected into e-commerce websites to record the credit card data enter into online payment forms.

The researchers found that other suppliers, web analytics provider PushAssist, CMS Clarity Connect, Annex Cloud, and likely many others, were also compromised by the Magecart actor. They had been tracking a highly-targeted Magecart campaign dubbed SERVERSIDE, which has used access to these third-party components to claim more than 100 top-tier victims including some of the world's largest online brands.

Yonathan Klijnsma, Threat Researcher at RiskIQ commented in a press statement: "While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster. ...Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon."

As a consequence, it is suggested that many publicly reported breaches are wrongly interpreted as individual events but are in reality part of the SERVERSIDE campaign. Ticketmaster reported the breach as having impacted Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 until June 23rd of 2018, but RiskIQ researchers say they found evidence the skimmer was active on additional Ticketmaster websites including Ireland, Turkey,  and New Zealand since as early as December 2017. They say that the Command and Control server used in the Ticketmaster attack has been active since December 2016.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events