Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response
RiskIQ: Ticketmaster Hackers Compromised Widely Used ToolsBreach May Have Affected More Ticketmaster Sites, Researchers Say
The criminal group behind the recent data breach at certain Ticketmaster websites may have also scooped up payment card and personal details from those using the company's sites in Australia, New Zealand, Turkey and Hungary, according to RiskIQ, which says the group's digital payment card skimmers may also affect as many as 800 other e-commerce sites.
Security company RiskIQ has been tracking Magecart, the criminal group that specializes in digital skimmers, or code designed to swipe information disclosed during e-commerce transactions.
" While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster."
—Yonathan Klijnsma, RiskIQ
As part of its Ticketmaster investigation, RiskIQ says it determined that Magecart appears to have compromised several third-party tools used by as many as 800 e-commerce websites. The affected suppliers include PushAssist, Clarity Connect and Annex Cloud, according to RiskIQ.
"While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster," says Yonathan Yonathan Klinjnsma, a RiskIQ threat researcher.
Magecart, which has been active since 2015, has refined its tactics, RiskIQ says in a blog post. Those include a tactic used by other bad actors: targeting popular third-party software suppliers, which can enable large-scale compromises, says Ross Brewer, managing director for LogRhythm for EMEA.
"Hackers are persistent, clever people who have wised up to the fact that going after the big guys who have an array of sophisticated security tools in place is no easy feat," Brewer says. "Instead, they're redirecting their attention to smaller, third-party suppliers that can act as a gateway to more lucrative targets."
Ticketmaster warned on June 28 that malicious code had been planted in automated customer support chatbot software from Inbenta Technologies. The code collected names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details (see Ticketmaster Breach Traces to Embedded Chatbot Software).
The customers affected were those who purchased or attempted to purchase tickets using company's Ticketmaster International, Ticketmaster U.K., GETMEIN! and TicketWeb websites, it said in an advisory. The compromise occurred between February and June 23. North American customers were not affected.
Tickemaster subsequently disabled Inbenta's software across its websites. It also sent password reset notices to those affected and offered one year of free identity theft monitoring.
Inbenta suggested in a statement that Ticketmaster was at fault. Ibenta says Ticketmaster directly applied a script to its payments page that Inbenta had modified upon the company's request without telling Inbenta.
"Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability," Inbenta said. "The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers."
But RiskIQ says it has identified malicious code within a different third-party marketing and analytics service used by Ticketmaster. The service is developed by a company called SociaPlus.
"This supplier was also breached by the Magecart actors, and the scripts they served to customers were modified on subdomains specifically set up for Ticketmaster as a customer," RiskIQ says. "We observed instances in December 2017 through January 2018 where the Magecart skimmer was added to one of the SociaPlus scripts and subsequently injected into multiple Ticketmaster websites."
SociaPlus's scripts no longer appear to contain the malicious code, RiskIQ says, "but we do not know if either Ticketmaster or SociaPlus are aware of this breach or if they've had discourse with each other about it.
Efforts to reach Ticketmaster officials and SociaPlus were not immediately successful.
Goal: Mass Compromise
The Magecart group continues to improve its digital skimmers as well as its targeting, RiskIQ says. It previously went after websites one at a time in order to compromise and plant its skimming code.
"They've figured out that it's easier to compromise third-party suppliers of scripts and add their skimmer," the company writes. "In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly."