Euro Cup and Olympics Ticket Reseller Hit by MageCart

Site belonging to a reseller of tickets for Euro Cup and the Tokyo Summer Olympics, two major sports events happening later this year, have been infected with JavaScript that steals payment card details.

On one of the websites, the malicious code survived for at least 50 days, while on the other it lasted for two weeks. If not for the intervention and persistence of two security specialists, the malware would have continued to pilfer card data undetected.

Hiding in a legitimate library

Code that steals card data from online stores at checkout is commonly known as MageCart since it initially targeted sites that were running the Magento e-commerce platform.

The card skimmer was initially discovered by Jacob  Pimental on the secondary ticket market OlympicTickets2020.com. It was hiding in a legitimate library called Slippry (a responsive content slider for jQuery) and activated when the slider loaded.

The hackers compromised the website and planted their malicious code in an obfuscated form in the existing Slippry library, located at "/dist/slippry.min.js."

Fellow security researcher Max Kersten helped Pimental with clearing the clutter. As it turned out, he had met in March 2019 the same loader code, which is responsible for launching the skimmer.

"The structure of the loader is, aside from the random variable names and script content, exactly the same," Kersten writes in a post today that references the initial analysis.

After deobfuscation, Pimental could clearly notice that the script was triggered by specific keywords that are usually associated with a payment page, such as onepage, checkout, store, cart, pay, order, basket, billing, order.

"If it finds any of those keywords in the website, it will send the information in the credit card form to opendoorcdn[.]com" the researcher writes in a post today.

MageCart attackers try to maximize their profits in any way possible and do not typically attack single sites. Their targets must have something in common that allows them to reach a larger number of victims.

Since the altered Slippry did not load from a third-party location that could have been compromised, Pimental searched for the hash of the library on UrlScan and found that it was present on another site, EuroTickets2020.com, also in the ticket reselling business.

It turns out that both EuroTickets2020 and OlympicTickets2020 are operated by the same party, as it can be easily inferred at a first look from the websites' layout. having the same owner name and the same phone number for customer support removed all the doubt.

Efforts to determine how long the two websites had been a risk for shoppers revealed that MageCart was present on the OlympicTickets site since at least December 3, 2019. On EuroTickets it was active since at least January 7, 2020.

Bumpy responsible disclosure

Armed with contact details, the two researchers wanted to share their findings with the owner of the two sites so they could remove the risk.

They tried email communication first but received no reply. The same silence came when tweeting at them. A third option was reaching out via the live chat support system; again, no answer, despite Kersten leaving his phone number.

Obstinate in their endeavor, the two researchers contacted them again asking to take another look at the library. Even after providing clear instructions, the two websites continued to host the malicious script, and the ticket was once again closed. However, MageCart was removed later on.

Pimental and Kersten warn that shopping at olympictickets2020.com or eurotickets2020.com between December 3, 2019, and January 21, 2020, likely resulted in card data being stolen. Contacting the issuing bank and requesting a card replacement is the recommended action.