It has come to light that a recent breach disclosed by Ticketmaster UK may be much larger than initially reported, with not just the company’s UK site, but also their sites for Ireland, New Zealand, Australia, Turkey and even the US found to contain digital card-skimming code. Similar to the recent breach at Harvey Norman, this incident was caused by cyber criminals compromising a third-party service provider, not the site itself directly, leading security experts to believe many more websites may be at risk or have been compromised. This is part of a concerning new trend whereby cyber criminals are targeting third-party providers, who may deal with hundreds of websites, rather than attacking a website individually, exponentially increasing the damage inflicted.
Ticketmaster originally believed that only its UK website had been compromised, in a statement released last week
The news comes thanks to an investigation made by cyber security vendor RiskIQ, who believe that up to 800 e-commerce sites may have been compromised. The breach is part of a larger operation carried out by a group of malicious actors known as ‘Magecart’ – operational since at least 2015, the group specialises in digital credit card skimming.
RiskIQ has said that Magecart has turned from hacking sites directly to the more wide-reaching approach of targeting popular third-party vendors who may have code implemented on many websites at once. They do this by injecting their own custom scripts into e-commerce websites, recording credit card data whenever something is paid for.
“While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster,” according to Yonathan Klijnsma, Threat Researcher at RiskIQ. “We believe it’s cause for far greater concern—Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon.”
Ticketmaster originally said that the breach had only affected a small few of its sites that had run code by provider Inbenta, who had stated that only Ticketmaster were affected. However, the investigation from RiskIQ has revealed that at least four providers had been hacked by Magecart, some of which were still actively running the malicious code. Combined, these providers had been allowing Magecart to deliver their card-skimming code to countless genuine websites, sending vast troves of credit card data back to Magecart’s central servers.
Third-party providers are very commonly utilised by websites around the world, leading some to believe the risk of using e-commerce sites as a whole was too high, as they were too easily compromised in this manner.
“Personally I don’t trust a single online store anymore,” Klijnsma said. “Every single one of them could have their supply chain of functionality suppliers compromised.”
Under the new EU General Data Protection Regulation (GDPR), both the affected websites and the third-party providers would be liable for fines and punitive measures, as part of an increased emphasis on accountability and traceability when it comes to how data is stored and processed.
Head of research at cyber security firm Panorays, Elad Shapira, says understanding the flow of data is key to keeping it safe. “Security visibility is key to understanding the risk that the third party poses to your company. Once you have that visibility, you can demand a certain level of security that’s reflective of the risk appetite of your company.”