Ticketmaster hack much wider than initially reported, says RiskIQ

Hacking group Magecart responsible for a sophisticated attack via third-party vendors that could have affected 800 ecommerce sites

The data breach of Ticketmaster last month, which spilled the credit card details of 400,000 customers was part of a major skimming attack by the threat group Magecart, that was much wider than first thought. Ticketmaster was only one of around 800 ecommerce firms affected, according to threat intelligence firm RiskIQ.

Rather than hacking Ticketmaster itself, Magecart compromised the cloud-based natural language search firm Inbenta, whose services are widely used by the ticket vendor and other ecommerce sites. Payment information entered into online forms on the ecommerce sites was then skimmed using the compromised Inbenta code and sent to a remote server run by the attackers.

Inbenta wasn't the only third-party provider used by Ticketmaster and other ecommerce sites that was compromised. Others include PushAssist and Annex Cloud which provide website analytics, Clarity Connect an add-on that offering CMS services, and SociaPlus personalisation and sales conversion software.

The Magecart hacking group specialises in stealing credit card information by injecting JavaScript code into websites. It has been operating for a number of years, but, the Ticketmaster compromise represents a more sophisticated methodology than before as it targeted a range of commonly used third-party software in order to compromise a larger number of ecommerce sites - including Ticketmaster affiliate sites not originally disclosed by the company in its breach report.

"We found evidence the skimmer was active on a broader range of Ticketmaster websites including Ireland, Turkey, and New Zealand among others," RiskIQ researchers Yonathan Klijnsma and Jordan Herman said in a blog post.

DataIQ notes that the command and control server to which the stolen data was sent has been active since 2016, although the Ticketmaster is much more recent. Many separate scripts were compromised in the attack, it said. While the methodology is now known, how Inbenta and others were compromised is still unclear.

"Inbenta explained that the module was custom built for Ticketmaster. To modify the source of this module, the attackers would have needed access to Inbenta's systems in some way or form. We believe that Inbenta was breached, but there another possibility a Ticketmaster developer account was breached to access Inbenta. Unless the companies provide more transparency into the event, we will never know," the blog post says.

Speaking at a press event yesterday, Fabian Libeau, EMEA VP at RiskIQ, said the Ticketmaster breach illustrates the dangers of organisations relying on third-party software has not been properly audited for security. For the hacker, these third-party services represent a poorly protected "soft underbelly" he said.

"So there's this credit card skimming adversary who is injecting JavaScript code into third-party code running on your website. They're not even attacking you yourself they are attacking some third-party you are hosting on your website and that's how they get the data off your customer. That's how the adversaries are trying to circumvent all the fancy security you put in place to protect the perimeter and still get what they want."

Libeau continued: "The digital supply chain involves so many different vendors. A lot of those vendors are next-gen tech companies that provide really cool services for websites. They're not thinking from security perspective. They not security companies. They're marketing, social media, content management companies and they don't think about security."