alexlukin - Fotolia
Ticketmaster breach part of worldwide card-skimming campaign
News roundup: The Ticketmaster breach was part of a massive digital credit card-skimming campaign. Plus, the U.K. fined Facebook over the Cambridge Analytica scandal, and more.
The attack that caused the Ticketmaster breach of customer information last month was actually part of a widespread campaign that's affected more than 800 e-commerce sites.
According to researchers at the threat intelligence company RiskIQ Inc., the hacking group known as Magecart has been running a digital credit card-skimming campaign that targets third-party components of e-commerce websites around the world.
At the end of June, ticket sales company Ticketmaster disclosed that it had been compromised and user credit card data had been skimmed. A report by RiskIQ researchers Yonathan Klijnsma and Jordan Herman said the Ticketmaster breach was not an isolated incident, but was instead part of the broader campaign run by the threat group Magecart.
"The target for Magecart actors was the payment information entered into forms on Ticketmaster's various websites," Klijnsma and Herman wrote in a blog post. "The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world."
A digital credit card skimmer, according to RiskIQ, uses scripts injected into websites to steal data entered into forms. Magecart "placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta," the researchers said, noting specifically that Ticketmaster's network was not directly breached.
RiskIQ has been tracking the activities of Magecart since 2015 and said attacks by the group have been "ramping up in frequency and impact" throughout the past few years, and Ticketmaster and Inbenta are not the only organizations that have been affected by this threat.
According to Klijnsma and Herman, Inbenta's custom JavaScript code was "wholly replaced" with card skimmers by Magecart.
"In the use of third-party JavaScript libraries, whether a customized module or not, it may be expected that configuration options are available to modify the generated JavaScript. However, the entire replacement of the script in question is generally beyond what one would expect to see," they wrote.
RiskIQ also noted that the command and control servers to which the skimmed data is sent has been active since 2016, though that doesn't mean the Ticketmaster websites were affected the entire time.
The Ticketmaster breach is just "the tip of the iceberg" according to Klijnsma and Herman.
"The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it's cause for far greater concern," they wrote. "We've identified over 800 victim websites from Magecart's main campaigns making it likely bigger than any other credit card breach to date."
In other news:
- The U.K.'s Information Commissioner's Office (ICO) is fining Facebook £500,000 -- more than $600,000 -- for failing to protect its users' data from misuse by Cambridge Analytica. The ICO is also going to bring criminal charges against the parent company of Cambridge Analytica, which gathered the data of millions of Americans before the 2016 presidential election. The ICO has been investigating data privacy abuses like the one by Cambridge Analytica -- which has since gone out of business -- and its investigations will continue. The fine brought against Facebook is reportedly the largest ever issued by the ICO and the maximum amount allowed under the U.K.'s Data Protection Act.
- Apple will roll out USB Restricted Mode as part of the new version of iOS 11.4.1. USB Restricted Mode prevents iOS devices that have been locked for over an hour from connecting with USB devices that plug into the Lightning port. "If you don't first unlock your password-protected iOS device -- or you haven't unlocked and connected it to a USB accessory within the past hour -- your iOS device won't communicate with the accessory or computer, and, in some cases, it might not charge," Apple explained. Apple hasn't provided the reason for this feature, but it will make it more difficult for forensics analysts and law enforcement to access data on locked devices.
- Security researcher Troy Hunt discovered an online credential stuffing list that contained 111 million compromised records. The records included email addresses and passwords that were stored on a web server in France. The data set Hunt looked at had a folder called "USA" -- though it has not been confirmed whether or not all the data came from Americans -- and the files had dates starting in early April 2018. "That one file alone had millions of records in it and due to the nature of password reuse, hundreds of thousands of those, at least, will unlock all sorts of other accounts belonging to the email addresses involved," Hunt said. The site with this information has been taken down, so it's no longer accessible. Hunt also said there's no way to know which websites leaked the credentials and suggests users implement password managers and make their passwords stronger and more unique.