Magecart Group 12 named as actor behind Olympic ticket POS attack

The ticket reselling sites olympictickets2020.com and eurotickets2020.com reportedly have been compromised with Magecart POS skimming malware.

Magecart was
first spotted on the two sites , which deal in tickets for the upcoming 2020
Tokyo Olympics EUFA Euro 2020, and were detailed In late January by researchers
Jacob Pimental
and Max
Kersten and RiskIQ took the additional step attributing this attack to Magecart
Group 12.

The
obfuscation and skimming code we observed on opendoorcdn.com matches that used
by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in
our blog posts. However, there are differences in the techniques employed by
Group 12 in these more recent compromises, which we’ll break down here,” RiskIQ
wrote.

Group 12
employs base64 encoded checks against the URL looking for the word “checkout”
to identify the proper page on which to load their skimmer code. This encoding
masked both the check itself and the skimmer URL, RiskIQ said.

Kersten decided
to look at the ticket sites based on a suspicion Pemental had when he “stumbled”
across the issue. Kersten took a look at the site’s JavaScript file /dist/slippry.min.js
and found a small description with the code where he found that an existing
piece of JavaScript was abused to hide the malicious code.

“In this
case, the library was hosted on the targeted site itself. There is no
information as to how the malicious code got appended to the library,” Kersten
wrote.

Both
researchers contacted the site’s host company prior to going public and sent an
email to its customer support firm. The company did take a look, but at first
glance did not find the malware, Pemental then contacted them again with
further details but received no response. Then on January 21 the pair saw that
the malicious code was gone indicating the company had heeded their warning.

Anyone who
purchased tickets through these two sites going back at least 50 days could be
at risk and should check that their payment cards have not been compromised,
suggested Pemental.

The post Magecart Group 12 named as actor behind Olympic ticket POS attack appeared first on SC Media.