| Ticketmaster breach was part of a larger credit card skimming effort, analysis shows | | A recent breach at Ticketmaster was just "the tip of the iceberg" of a wider, massive credit card skimming operation, new research has found. At least 800 e-commerce sites are said to be affected, after they included code developed by third-party companies and later altered by hackers, according to security firm RiskIQ. | Yonathan Klijnsma, a threat researcher at RiskIQ, said Magecart has a larger reach "than any other credit card breach to date, and isn't stopping any day soon." By targeting each third-party code supplier, the hackers can in some cases get "nearly 10,000 victims instantly," said the research. Cast your mind back last week to the Ticketmaster breach. The ticket selling giant admitted that some customers had their payment data compromised because its website was running code from Inbenta, a customer support software company, which hackers had altered. It's not uncommon for websites to rely on third-party code, hosted on other sites and services, to support their own. But they present a single point of failure, which, if breached, can affect every site that the code is loaded on. | According to RiskIQ, code hosted by social analysis company SociaPlus had also been breached. The hackers had changed the code to quietly skim the credit cards entered at the checkout of any site that the code was served on. The hackers had obfuscated their malicious code at the end of the Javascript library. Any button or form is hooked so when a user clicks a button or submits a form the fields on the page, the skimmer extracts the name and value of the fields, combines them, and sends them to the drop server owned by the Magecart actors. | Klijnsma said that it wasn't clear how each company was compromised. With so many companies affected, a co-ordinated disclosure was impossible, he said. But he said the Magecart threat group "extends well beyond Ticketmaster," discovering close to 100 top-tier sites, like large brands and online shops, but did not name any specific companies. "Personally I don't trust a single online store anymore," he said. | | |
|