The ticket reselling sites olympictickets2020.com and eurotickets2020.com reportedly have been compromised with Magecart POS skimming malware.
Magecart was first spotted on the two sites , which deal in tickets for the upcoming 2020 Tokyo Olympics EUFA Euro 2020, and were detailed In late January by researchers Jacob Pimental and Max Kersten and RiskIQ took the additional step attributing this attack to Magecart Group 12.
The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts. However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we’ll break down here,” RiskIQ wrote.
Group 12 employs base64 encoded checks against the URL looking for the word “checkout” to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL, RiskIQ said.
“In this case, the library was hosted on the targeted site itself. There is no information as to how the malicious code got appended to the library,” Kersten wrote.
Both researchers contacted the site’s host company prior to going public and sent an email to its customer support firm. The company did take a look, but at first glance did not find the malware, Pemental then contacted them again with further details but received no response. Then on January 21 the pair saw that the malicious code was gone indicating the company had heeded their warning.
Anyone who purchased tickets through these two sites going back at least 50 days could be at risk and should check that their payment cards have not been compromised, suggested Pemental.