The third-party breach which exposed personal and payment information of thousands of Ticketmaster customers is just the tip of the iceberg, according to researchers from RiskIQ.
The breach, which was caused by the compromise of code created by Inbenta for Ticketmaster, was said to have only affected UK customers of Ticketmaster and its subsidiary sites TicketWeb and Get Me In!, and Inbenta assured its other customers that only the code written for Ticketmaster was affected.
However, research carried out by RiskIQ researchers suggests that the problem goes far deeper, and is part of a vast card-skimming operation affecting over 800 e-commerce websites worldwide.
The operation is being carried out by a group referred to as Magecart, which has been operating since at least 2015, with RiskIQ noting a rise in their activity since 2016. The group uses ‘digital card skimmers’ created by injecting malicious script into websites to steal customer data. Personal and payment information are both at risk, though the keywords used by Magecart’s script are mostly transaction-related, indicating that payment information is the primary target.
According to the researchers, Inbenta’s systems were compromised rather than just the one piece of code, and other third-party providers have been similarly affected. Additionally, more of Ticketmaster’s websites (and therefore customers) than previously announced also seem to have been affected, including its Ireland, Turkey, and New Zealand websites.
Ticketmaster International, Ticketmaster UK, Get Me In!, TicketWeb, Ticketmaster Ireland and Ticketmaster New Zealand all seem to have been affected by the Inbenta breach. Other Ticketmaster sites, including Ticketmaster Germany and Ticketmaster Australia, were also compromised via a separate third-party breach, this one of SociaPlus.
The SociaPlus scripts modified by Magecart were on subdomains specifically set up for Ticketmaster, and sent the data to a drop server operated by Magecart, which has been in use for multiple compromised websites since December 2016.
While the SociaPlus scripts modified seem to have been part of a targeted attack on Ticketmaster, it’s not the only website affected. RiskIQ have identified more than 800 victim websites, with one campaign alone (referred to as ‘SERVERSIDE’) impacting 100 ‘top-tier victims’.
The campaign demonstrates an escalation in the group’s techniques – while they previously compromised individual websites to add malicious script, the shift to targeting third party suppliers allows for a far more efficient and widespread distribution of the skimmer code.
Compromised suppliers named by RiskIQ include PushAssist (a website analytics provider which claims to be used on over 10,000 websites), Clarity Connect (a CMS provider), and AnnexCloud (another analytics provider). Whether PushAssist and AnnexCloud were aware of the compromise is unknown, but it seems admins at Clarity Connect knew that malicious code was being placed on their website, as they had attempted to remove it in the past. A message left with the skimmer code by the hackers says: “IF YOU WILL DELETE MY CODE ONE MORE TIME I WILL ENCRYPT ALL YOUR SITES! YOU VERY BAD ADMINS”.
Perhaps more worryingly, the threat implies that the hacker has access not just to the compromised code but also to other Clarity Connect systems. The compromise of multiple AnnexCloud and Inbenta modules also suggests that in these cases too, Magecart actors have much broader access than initially thought.
This attack method really drives home the importance of choosing and vetting your third parties carefully. The past couple of weeks have seen several third-party breaches affecting big-name institutions – Ticketmaster is one example; a breach at Typeform affecting customers at Fortnum & Mason and Monzo is another. All of these are reported on (somewhat misleadingly) as breaches at the customer-facing company, and they’re the ones who suffer the reputational damages and the potential fines.
The number of third parties organisations work with – and need to share data with – is vast. And it’s not always easy to tell how much of a risk each one poses: self-reporting and questionnaires have been a substantial part of the vetting process in the past, but they’re clearly not enough. The importance of thorough, comprehensive third-party risk evaluations is becoming increasingly apparent, but as these become more complex and lengthier, the impact on business is something which will have to be managed carefully.
One possible solution is the emergence of ‘security ratings’ companies which we’ve seen in recent years – we wrote about some of them recently in the context of cyberinsurance, another increasingly important topic at present. Outsourcing the evaluation process to specialists may well be a tempting prospect not just for SMEs but also for large enterprises, which work with so many third parties that managing them all will represent a huge challenge.