Blog

The Magecart project is the biggest thing I’ve worked on in my career in both the scope of the cyber threat, the effects of the breaches, and, as a result, the media attention our work garnered. It wasn’t possible without RiskIQ data.

Seeing words I wrote quoted on national news is a new experience for me personally, but the work we put into the project was not—far from it. The data we used, as well as the techniques we employed to work with and surface it, were typical of the analytics and cyber threat detection we carry out at RiskIQ every day. In the case of Magecart, our data sets allowed us to discover the breadth and scope of a massive compromise across the internet that few else could.

We first learned of the Inbenta breach through the disclosures Ticketmaster, Monzo Bank, and Inbenta released in late June and decided to dig into our data to see what we could find about it. We quickly identified several crawls of Inbenta scripts we had stored in RiskIQ's database. Finding them was relatively easy because Inbenta used subdomains with the name of the website using the script along with the geographic region in the hostname, i.e., ticketmasteruk.inbenta[.]com. Ticketmaster websites were utilizing these scripts for the geographic areas described in the disclosure of the breach

A key feature of RiskIQ’s integrated digital threat platform is our worldwide network of web crawlers. We continuously crawl the internet, collecting not just rendered pages but also the entire sequence of requests and responses that make up a web page—headers, dependent requests, certificates, and more. These crawls give us great insight into what is happening on a web server at any given point in time, and how that server would interact with a real user. We also incorporate the wealth of data we obtain from crawls into our aggregated datasets and our host pairs dataset, which proved especially useful for the analysis of Magecart. (A full description of host pairs is below.)

Our first example of an interesting Inbenta script had a hex-encoded and obfuscated javascript code block at the top of the script, above un-obfuscated javascript. Although hex encoding and obfuscation are not suspicious—as developers use this process legitimately to minify javascript—it is strange to find obfuscated and unobfuscated javascript together. Upon deobfuscating the code, we recognized what we saw right away: our old friend Magecart.

On June 27th, Ticketmaster, a ticket sales and distribution company, made public they had been compromised and that hackers stole customer information. However, we discovered that this was not a one-off event as initially reported, but part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world.

The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.

Introduction

Card skimmers are devices criminals hide within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day. These devices steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Since 2016, RiskIQ has reported on the rise of card skimmers of the digital variety operated by the threat group Magecart that use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites. Hackers placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta.

In this article, we’ll give our comprehensive insights into the events around the Ticketmaster breach. Magecart, the criminal group that performed this cyber attack, are well known to us. We have had an eye on them since 2015, and their cyber attacks have been ramping up in frequency and impact over the years. Our investigation following the Inbenta breach uncovered evidence that the Inbenta cyber attack was not a one-off, but instead indicative of a change in strategy by Magecart from focusing on piecemeal compromises to targeting third-party providers like Inbenta to perform more widespread compromises of card data.

Magecart is back, and the operation is more elaborate than we thought, involving physical shipping companies with mules operating in the United States.

Credit card data is a hot commodity in the criminal underworld of the internet—stolen card data is readily available, and used to fund criminal enterprises of all kinds. But scammers, rippers, and carders aren't the only ones in on the action—the data has to be stolen in the first place.

Typically, when people think of credit card theft, they think of skimming, point-of-sale devices infected with malware, and large-scale data breaches. But actors are utilizing much sneakier and more sophisticated means of collecting credit card data, such as those behind Magecart, a threat we profiled last October, which injects JavaScript code into e-commerce sites running outdated and unpatched versions of shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, Magecart captures large quantities of payment card information from unsuspecting shoppers.

This stolen data can be packaged and sold as CVV dumps, on websites where transactions involving stolen credit card data take place. In a recent Krebs on Security blog post, which ties Magecart infrastructure listed in our original report to a credit card dump website known as “Trump’s Dumps,” we caught a glimpse of how those behind Magecart are monetizing their operations.

But RiskIQ’s follow-on report, Magecart Part II: From Javascript Injects to Reshipping for Financial Gain, shows that these actors actually have a well-diversified portfolio of rackets for making money from their plunder. Continued tracking of Magecart activity over the last few months gave us a rare look into the physical world operations of actors tied to digital threats: cashing-in by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S.

Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—Magecart, a recently observed instance of threat actors injecting a keylogger directly into a website, is one of these.

Targeting Consumers Via Retailer Payment Platforms

Since the widely publicized breach of Target Corporation, there has been a significant increase in awareness of activity surrounding POS (point of sale) system breaches. But web-based keylogger injection incidents continue to be little-known, even though they've been occurring for even longer than threats related to many high-profile breaches.

In 2000, the discovery of a vulnerability in versions of the widely-deployed Cart32 software, which enables consumers to shop online, gave threat actors access to the application as the administrator so they could dump credit card data and run commands on the hosting server. In 2007, discussions like this in the OSCommerce community illustrated more instances. Later in 2011, analysis showed additional mass compromise activity in OSCommerce pushing online store visitors to information-stealing malware.

Since then, this kind of activity increased, affecting other popular shopping cart software implementations.