Looks Like Ticketmaster’s Data Breach Was Worse Than We Thought…

The Ticketmaster attack was apparently only the ‘tip’ of the iceberg, according to cyber-security firm RiskIQ.

Several weeks ago, Ticketmaster UK revealed that malicious code in software provided by Inbenta – a third-party supplier – led to a data breach.  According to the ticketing giant, less than 5% of its global customer base was affected.

That may be a vast understatement.

Magecart, a sophisticated hacking collective, was behind the attack.  The group, previously known for hacking websites directly, has now shifted to attacking third-party software components.

Researchers at RiskIQ, a cyber-security company, found Magecart breached two third-party suppliers integrated with Ticketmaster sites – Inbenta and SocialPlus.  The hacking collective added to and replaced custom JavaScript code with digital credit card skimmers.  Malicious scripts injected into the ticketing giant’s websites could then record credit card payment details entered by customers.

Yonathan Klijnsma and Jordan Herman, researchers at RiskIQ, published their assessment on Magecart’s attacks.  They found the group hadn’t only targeted Ticketmaster.

“The Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern.  We’ve identified over 800 victim websites from Magecart’s main campaigns making it likely bigger than any other credit card breach to date.”

RiskIQ has tracked Magecart’s activities since 2015.  The group’s credit card hacks have only increased in sophistication, frequency, and impact.

Affected suppliers in Magecart’s recent campaign – dubbed Serverside – include PushAssist, CMS Clarity Connect, and Annex Cloud, among many others.

The ticketing giant has now confirmed the data breach affected Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 through June 23rd, 2018.  According to RiskIQ, however, attacks on the ticketing giant’s additional websites – Ireland, Turkey, and New Zealand, for example – started as early as December 2017.

Researchers also found a ‘Command and Control’ server used in the Ticketmaster attack has remained active since December 2016.

Confirming RiskIQ’s report, Andrew Bushby, UK Director of Fidelis Cybersecurity, wrote,

“This research not only shows that the Ticketmaster breach is much worse than we first thought, but it also exposes the very real security issue with third-party suppliers.”

The code, unfortunately, remains present in hundreds of websites, including on over 100 top retailers.  Speaking about the seriousness of the attack, co-author Klijnsma wrote,

“Personally I don’t trust a single online store anymore.  Every single one of them could have their supply chain of functionality suppliers compromised.”

You can check out RiskIQ’s complete report here.


Featured image by The Digital Artist (CC0)