The malicious script was inserted into the Ticketmaster website via a third-party chat widget called Chatters City created by software developer Inbenta Technologies.
First Published 13th July 2018
"Buy the ticket. Take the ride." - Hunter S. Thompson.
4 min read | Reflare Research Team
In a prior report, we covered an apparent breach of Ticketmaster’s customer data through a plugin provided by Inbenta Technologies. In this briefing, we will cover developments since then and answer a few of the questions that were still in the air two weeks ago.
What’s New?
Information Security Researcher and Vendor RiskIQ released an extensive report on the malware used and the group behind the attack on July 9th. The key findings are as follows:
The group behind the attack is allegedly Magecart - a group known to RiskIQ since 2015 which has performed similar - albeit less sophisticated - attacks repeatedly in the past.
The compromisation of the Inbenta plugin was confirmed.
In addition to the sites that Ticketmaster lists as affected, evidence was found that other Ticketmaster sites including those serving Ireland, Turkey, and New Zealand were also affected by the attack.
Sites not related to Ticketmaster were also affected by the same group.
How do they know this?
RiskIQ specializes in gathering vast amounts of publicly available data for information security purposes. Some of this data includes snapshots of websites at given intervals and information on server IPs and settings. The company was able to search its historical backlog of data on Ticketmaster and related sites to see when and where the offending code was presented to customers.
Since Ticketmaster is motivated by market forces to let the incident die down, we are very unlikely to receive an official confirmation or denial of the claims made by RiskIQ.
Who else was affected?
Apart from Inbenta Technologies (which provided the plugin that was compromised for the Ticketmaster hack), the report also lists three other vendors that are or were compromised by Magnacart:
Pushassist: A 3rd party service for the easy integration of push notifications into websites.
Clarity Connect: A service allowing customers to create custom websites and webshops.
Annex Cloud: A 3rd party analytics provider.
While their tasks and products differ widely, all three companies fall into the same general industry: 3rd party providers of tools to make web-based business easier.
Summary
The findings by RiskIQ back up the attack flow we laid out in our previous briefing: A plugin provided by third-party provider Inbenta Technologies was hacked to add malware to Ticketmaster sites. Since no non-Ticketmaster sites seem to be affected by the same payload included in Inbenta’s plugin, their statement that this plugin was custom-built for Ticketmaster appears to hold true.
Attackers in recent years have begun to specifically target 3rd party tools and plugin providers. As they are not high-value organizations themselves, security is often laxer than average. When one of their plugins is then embedded into a high-value website, the attackers can leverage their control over a relatively minor 3rd party company into an attack against a major player.
We advise all organizations - especially those handling payment data - to take great care when integrating with any third-party tools. While the fault may or may not lie with Ticketmaster, many people will remember that they got hacked, while very few will remember exactly why.