‘Ticketmaster leak is the work of a skimmer group that caused many more victims’

According to security firm RiskIQ, the data breach that Ticketmaster recently warned about is the work of a skimmer group that it has named Magecart. It would target software suppliers of e-commerce sites and would have made 800 victims so far.

The company claims it has been tracking the Magecart group since 2015 and that the group’s attacks have become more frequent of late. Magecart is not only behind the Ticketmaster incident, but could count a total of 800 sites among his targets so far. Initially, the group would have attacked websites itself, but now they are targeting software suppliers of those sites, such as Ticketmaster. It turned out that data was stolen from the service via a JavaScript module from the vendor Inbenta. For example, the group would also target parties such as analytics services PushAssist and Annex Cloud, and CMS developer Clarity Connect.

RiskIQ further investigated the Ticketmaster incident and concluded that Magecart must have broken into Inbenta, which focuses on the development of chatbots. Inbenta initially said that his JavaScript code was on a Ticketmaster payment page, when it was not intended to be. The security company substantiates its conclusion by stating that the content of the inbenta.js file on the Ticketmaster site was completely modified in June, causing a temporary loss of functionality.

It attributes this action to Magecart, writing that the group added its own skimmer code to the script to steal data entered on the payment page. Because various scripts are sometimes completely adapted, RiskIQ assumes that the group must have had extensive access to Inbenta. His investigation would also show that the size of the Ticketmaster incident is greater than the company made out. It also found the skimmer code on Ticketmaster’s Irish, Turkish, Australian and New Zealand sites.

Code injected into Inbenta script by Magecart, according to RiskIQ

RiskIQ researchers have analyzed the skimmer’s code and write that it is quite simple software: “The skimmer is quite simple – every button and every input field on a page is hooked so that the skimmer combines the name and value of the fields and forwards to the Magecart server as soon as the visitor hits send.” The group would use domain names for these servers that resemble JavaScript libraries or analytics services. In the current case, the url was webfotce.com, which should resemble ‘webforce’. The fake domain has been up and running since December 2016.

After all, Inbenta wouldn’t be the only Ticketmaster supplier that Magecart has been targeting. The group would also focus on e-commerce service SociaPlus. RiskIQ reports that it found a Magecart skimmer added to a script on several Ticketmaster sites in late 2017 and early 2018.

Ticketmaster warned in late June that a data breach had occurred in which attackers got the names, addresses, email addresses, phone numbers, payment details and logins of Ticketmaster’s accounts into the hands of about five percent of its customers. A British bank then claimed that it had previously warned Ticketmaster about a possible data breach.