Ticketmaster breach 'part of massive bank card slurping campaign'

It gets worse, say researchers


The Ticketmaster breach was not a one-off, but part of a massive digital credit card-siphoning campaign.

Threat intel firm RiskIQ reckons the hacking group Magecart hit Ticketmaster as part of a massive credit card card hacking campaign affecting more than 800 ecommerce sites.

Magecart has evolved tactically from hacking sites directly, to targeting widely used third-party software components. According to RiskIQ researchers, Magecart likely breached the systems of two third-party suppliers integrated with Ticketmaster websites – Inbenta and SociaPlus – and added to or replaced custom JavaScript modules with their digital credit-card copying code.

Malicious scripts injected into ecommerce websites can record the credit card data that customers enter into online payment forms before uploading the data to a server controlled by crooks.

Magecart

Magecart is well-known to RiskIQ, which has tracked its activities since 2015. The group's credit card swiping attacks have continuously ramped up in frequency, sophistication, and impact, according to the threat intel firm.

RiskIQ researchers found that other suppliers, including web analytics provider PushAssist, CMS Clarity Connect, Annex Cloud, and likely many others, were also compromised by Magecart.

RiskIQ is tracking a highly-targeted Magecart campaign dubbed SERVERSIDE, which has used access to these third-party components to target victims including some of the world's largest online brands.

"While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster," said Yonathan Klijnsma, a threat researcher at RiskIQ. "We believe it's cause for far greater concern—Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon.”

Many publicly reported breaches are wrongly interpreted as individual events but are in reality part of the SERVERSIDE campaign.

According to Ticketmaster’s official statement, the security breach affected Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb from February 2018 until 23 June 2018. RiskIQ researchers found evidence the card slurper was active on additional Ticketmaster websites including Ireland, Turkey, and New Zealand as early as December 2017.

RiskIQ researchers also found that the Command and Control server used in the Ticketmaster attack has been active since December 2016.

More details of RiskIQ's latest research into the Magecart hacking crew - together with indications of compromise - can be found in a blog post here.

El Reg asked firms named in the research - Ticketmaster, Inbenta, CMS Clarity Connect (via CMSWire), PushAssist and Annex Cloud - to comment. We’ll update this story as new information comes to hand.

Andrew Bushby, UK director at Fidelis Cybersecurity, commented: “This research not only shows that the Ticketmaster breach is much worse than we first thought, but it also exposes the very real security issue with third-party suppliers. Many organisations often learn of a breach through a third-party, or by other organisations that have been hit. It is therefore critical that companies have a better understanding of when sensitive data is leaving the enterprise – or else threat actors such as Magecart will wreak havoc on the network and endpoints." ®

Similar topics


Other stories you might like

  • Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication

    I'm not the robot, pal, you are

    Something for the Weekend, Sir? I have failed the Turing test – again. Apparently I am unable to exhibit intelligent behaviour equivalent to that of a human being.

    I am trying to sign into some services I set up ages ago but the Login Lords are having none of it. Quite possibly they are punishing me for having the temerity to disable two-factor authentication, triggering a Spitefulness subroutine which requires them to express their consequential existential crisis by taking it out on me. You're not who you claim to be, they whisper. We think you're lying.

    Great. It's 4:00am and I'm being dissed by uppity electrons 6,000 miles away.

    Continue reading
  • Ouch! When the IT equipment is sound, but the setup is hole-y inappropriate

    Let me draw a picture for you

    On Call The week may be over, but the capacity of users to stick things where they shouldn't is far from exhausted. Welcome to another edition of On Call.

    Today's tale takes us back to when we worked in offices and the concept of "hot desking" was a fashionable thing that did not require the attention of hazmat-clad workers between sessions.

    "Ben," for that is not his name, regularly travelled from city to city as part of his job and, being a conscientious type, popped into company offices along the route to deal with any callouts. He and a colleague would arrive early in the morning to diagnose complaints and deal with IT issues faced by staff.

    Continue reading
  • UK cuts ribbon on OpenRAN security and resiliency testing hubs to make sure kit works with 5G infrastructure

    SONIC the, er, edge... hog?

    The Ministry of Fun* has (virtually) cut the ribbon on its latest 5G testing centre to verify the security and resilience of OpenRAN kit seeking a place among the UK's 5G network infrastructure.

    Backed with £1m of central government taxpayer funding, the SONIC Labs (SmartRAN Open Network Interoperability Centre) in Brighton and London will serve as a testing centre for 5G RAN equipment. The the Department for Digital, Culture, Media and Sport (DCMS) has tipped Digital Catapult and Ofcom to administer the facilities.

    The facility was conceived to accelerate the UK's adoption of OpenRAN technology. Although in its early stages, OpenRAN has been touted as a potential solution to the UK's bleakly homogenous 5G infrastructure.

    Continue reading
  • AWS offers you the opportunity to pay cloud bills before they’ve been issued

    Whatever happened to cloud being a super way to preserve cashflow?

    Amazon Web Services has started allowing its customers to pay in advance.

    As the name implies, a facility called “Advanced Pay” will let you send money to Jeff Bezos before your bill for cloud services has been issued. “Once you add funds to Advance Pay, AWS will automatically use them to pay for your invoices when they become due for payment,” states AWS’s announcement of the service.

    Amazon’s product pages explain that the service only operates in US dollars, and only applies to AWS’s own services — third-party software you buy from the AWS Marketplace is billed as usual.

    Continue reading
  • USA bars imports of Chinese polysilicon due to human rights violations

    Made-in-Xinjiang feedstock for solar panels and semiconductors is under scrutiny

    The USA's Customs and Border Patrol on Thursday banned imports of silica products widely used in solar panels, but also useful for other silicon wafers, on grounds they were made in the Chinese province of Xinjiang, where it is alleged Muslim-minority Uyghur population conduct forced labor.

    A White House statement attributed the actions to the united front against forced labor expressed at the recent G7 summit. The White House stated that bans force Beijing to play fairer, but also are important for competing American businesses that do not exploit workers.

    The ban named one company - Xinjiang-based Hoshine Silicon Industry Co., Ltd and its subsidiaries. All US ports of entry were instructed to detain shipments made by or derived from Hoshine silica.

    Continue reading
  • Google creates 'optimized' Android for one smartphone — that will only be sold in India

    No word on what this means for Android Go or Android One, but Indian mega-carrier Jio is excited about over-the-air updates, Google Assistant and more

    Google has revealed that it has created an “optimised” version of Android designed specifically for one phone — a device to be launched in September by Indian carrier Jio. But the ads giant has not said what the new phone means for its other efforts to create a version of Android tailored to deployment in hardware at prices accessible for people in developing nations.

    “Our teams have optimised a version of our Android OS especially for this device” wrote Alphabet CEO Sundar Pichai, adding that the device “will open up new possibilities for millions of new users who will experience the internet for the very first time”.

    Another Google post and Jio’s statement on the matter state that the device will include the Play Store, multi-lingual Google Assistant, over-the-air updates, and an AI-infused camera. Jio’s own apps will be integrated with the Google Assistant.

    Continue reading
  • What’s the big deal with service meshes? Think of them as SDN at Layer 7

    A technical yet demystifying dive into networking tech you can’t avoid

    Systems Approach I remember when I first heard about Service Meshes in 2017, and wondering what the big deal was. Building cloud applications as a graph of microservices was commonplace, and telcos were hard at work inventing yet other ways to chain together virtualized network functions. Service graphs, service chains, service meshes … how many ways do we really need to talk about composing complex systems from a collection of smaller components?

    It wasn’t until I recognised a familiar pattern that I got it: a Service Mesh is just SDN at Layer 7. That’s probably what happens when SDN is the hammer you keep hitting nails with, but I’ve come to believe there is value in that perspective.

    The figure below highlights the similarities between the two scenarios, both of which include a centralised controller that issues directives to a distributed set of connectors (physical/virtual switches in one case, and a sidecar container in the other case) — based on a combination of policy intents from above and monitoring data reported from below. The primary difference is that the SDN controller on the left is controlling L2/3 connectivity and the Service Mesh on the right is controlling L7 connectivity.

    Continue reading
  • Mars race: China dreams of nuclear rockets, manned bases, and space elevators

    We're looking forward to the late 21st-century colony wars

    Over the next quarter century, China wants to set up a permanent base on Mars for "large scale development of the Red Planet," and install a sci-fi carbon-nanotube elevator to shuttle goods between the surface and spacecraft in orbit.

    That’s according to the China Academy of Launch Vehicle Technology (CALT), the country’s largest rocket maker, which described a road-map outlining the Middle Kingdom's ambition to explore the unforgiving dust world. Missions to Mars are planned for 2033, 2035, 2037, 2041, and 2043 quite possibly using nuclear-propelled spacecraft.

    In a speech, CALT’s President Wang Xiaojun said his state-owned organization first intends to send robots to Mars to collect samples of material to study back on Earth. These machines will also scout out good locations to develop a human settlement.

    Continue reading
  • Bridging the observability gap

    Trace the journey through all those microservices in the background

    Sponsored In modern IT, visibility is everything. IT admins and Site Reliability Engineers (SRE) survive on their ability to see what's happening in their systems. Unfortunately, as systems get more sophisticated, it has become harder to see what they're doing. That's why the industry is promoting observability as the evolution of existing concepts like monitoring and metrics. Vendors are stepping up with tools to address a growing visibility gap.

    Continue reading
  • Google: About that whole getting rid of third-party cookies thing – we're gonna need another year or so

    Plan to reinvent advertising turns out to be more difficult than expected

    Google, which makes the only major browser not blocking third-party cookies by default, has revised its commitment to phase out third-party cookies by 2022.

    The super-corp's biscotticide is now scheduled to begin in mid-2023 and run through late 2023.

    Third-party cookies refer to tracking files deposited in one's browser when visiting a website that includes code interacting with third-party domains. The firms associated with these domains, typically marketing and analytics businesses, check for the presence of their cookies across different websites and use this information to build marketing profiles and to target ads based on behavior.

    Continue reading
  • These six proposed bipartisan antitrust laws put Big Tech in the cross-hairs – and a House committee just OK'd them

    Well, it's a start

    The US House Judiciary Committee this week approved half a dozen major bipartisan antitrust bills aimed at clamping down on the growing power of Big Tech and its monopolization of some markets.

    The panel, led by Jerry Nadler (D-NY), debated for nearly 30 hours on Wednesday and Thursday to advance the wide-sweeping six-bill package. The proposed laws includes all sorts of measures to prevent companies like Google, Apple, Amazon, Microsoft, Facebook, and others from dominating their sectors of the technology industry.

    There was likely plenty of lobbying and other wrangling going on in the back and foreground over the exact wording of the package. For instance, there was a concern by some lawmakers that Microsoft would end up avoiding certain provisions in the proposed acts that would otherwise hit Google and Apple. Tweaks were made – such as removing "mobile" from "mobile operating system" in the fine-print – to ensure no one was wriggling out.

    Continue reading

Biting the hand that feeds IT © 1998–2021