Threat actors from the Magecart APT group gained access to the systems of InBenta Technologies, a firm that works with Ticketmaster, and were able to access customer payment information.
Threat actors from the Magecart APT group gained access to the systems of InBenta Technologies, a firm that works with Ticketmaster, and were able to access customer payment information.

The third-party breach that compromised the data of several Ticketmaster UK customers was part of a larger campaign which targeted more than 800 e-commerce sites.

Threat actors from the Magecart APT group gained access to the systems of InBenta Technologies, a firm that works with Ticketmaster, and were able to access customer payment information, according to researchers at RiskIQ.

The threat group used a similar strategy to compromise other websites compromising the credit card information of thousands of people.

Although Ticketmaster originally announced the breach only affected four of its sites between February and June 2018, however, RiskIQ researchers listed nearly 17 different Ticketmaster sites over a longer period of time.

"Rather than go after websites, they've figured out that it's easier to compromise third-party suppliers of scripts and add their skimmer,” researchers said in the report. “In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly."

Researchers said that the command and control server used to receive the stolen data has been active since December 2016.

Ross Hogan, GM US Office & Chief Revenue Officer at Source Defense told SC Media that Magecart operated continuously for 3 years before their campaign was made public and that the impact of this breach is significant and far-reaching.

“Current security solutions are not capable of preventing this vulnerability nor even detecting it in real-time,” Hogan said. “Remediation and forensics will only identify the problem and address the resultant damage.”

Hogan said the problem can only be solved with a prevention solution that specifically targets website supply chain attacks as was leveraged in this massive breach. Third-party vendors are also likely to be less secure than the typical enterprises that integrate their services offering hackers with a comparatively simpler path to access website content, data, and customers.

“The best way for companies to hammer out the chinks in the armor is by getting to know all the third parties that support their websites, working closely with them on improving each other's security postures, scanning their sites to identify any code that exhibits suspicious or malicious behavior, and terminating malicious behavior as soon as its' found,” Chris Olson, CEO of The Media Trust, said.

Researchers also pointed out the implications of the attacks could be much worse than expected given the number of third-party vendors who used the vulnerable software. 

"If malicious code writers have indeed been able to affect the source code of third-party software used by hundreds of online retailers, the potential impact could be massive,” Lee Munson, security researcher at Comparitech.com, said. “By altering code linked to customer experience, the attackers could actually gain access to a plethora of personal, payment card and other sensitive data across a range of sites if their internal security mechanisms are weak.”

Munson added that while third-party code certainly helps to save time and money for the implementer, it is a very real risk that should be given careful consideration before being accepted.