Skip to main content

80-Plus E-Comm Sites Infiltrated by Hackers Behind Ticketmaster, British Airways Breaches

The group that infiltrated Forbes, British Airways, Ticketmaster and others last year has infected more than 80 e-commerce websites, new research shows.

The news comes as retailers are kicking their holiday plans and preparation into high gear while grappling with a trade war that’s slapped escalating tariffs on apparel and footwear—staples for the gift-giving season. With recession rumblings growing louder, the retail industry can ill afford the negative headlines and reputational fallout that a data breach would bring.

According to Arxan Technologies, just two hours of investigation turned up more than 80 e-commerce sites—including 25 “large, reputable” motorsports and luxury apparel brands—actively compromised by Magecart, the umbrella term for groups using card skimming technology to steal consumers’ personal and financial data from websites. Formjacking, another term for these virtual card skimmers, typically happens at the shopping cart level. If cybercriminals don’t sell the data on the dark web, they like to use the purloined card numbers to purchase goods in a “shipping scam,” Arxan noted.

Set to exceed $3.5 billion this year, the global e-commerce market proves to be a tantalizing target for bad actors and a wake-up call to the impact of Magecart breaches. Affected organizations coughed up hundreds of millions of dollars just for government penalties, Arxan said, and about 20 percent of compromised sites were infiltrated yet again within five days of fixing the initial breach.

Related Stories

“It’s a bleak picture for an industry about to embark on the busiest shopping season of the year,” said Arxan, adding that it has notified the FBI about the cyber crimes it had uncovered.

“The threat of formjacking is a widespread and growing problem. Because so many web applications are lacking in-app protection, adversaries are able to easily debug and read a web app’s JavaScript or HTML5 in plain text. Once the web app code is understood, malicious Javascript is then inserted into the web pages of target servers that delivers the web checkout form,” said Alissa Knight, a cybersecurity analyst for Aite Group who authored a paper on this topic in partnership with Arxan.

“Once weaponized, these credential pages will simultaneously send a consumer’s credit card information to an off-site server under the control of the Magecart group while also allowing the compromised site to process the credit card so the consumer and the organization is unaware of the theft,” Knight continued. “It’s important to adopt solutions that implement multiple layers of security, not just obfuscation, such as detection of code tampering and analysis, active response that shuts a browser down upon detection of formjacking, along with threat detection and real-time alerting and response.”

Most of the 80-plus infiltrated sites were running particularly vulnerable outmoded versions of Magento. What’s more, not a single compromised site had implemented any form of in-app protection like tamper detection or code obfuscation.

That consumers aren’t fully protected against the “pervasive threat” of formjacking in 2019 is the real disappointment, according to Arxan chief scientist and CTO Aaron Lint.

“The push toward a modern user experience creates a lucrative attack surface inside the web content delivered via browser and mobile,” he said. “Any interface which takes user input becomes a target for exfiltration. Additionally, the widespread use of third-party components has created a supply chain where an attacker can easily compromise thousands of sites with a mere few lines of code.”

Arxan recommends online retailers and other website operators patch their e-commerce platforms or ensure they’re updated to the latest version; audit web code to be sure their websites and any third-party apps haven’t been compromised; and install a security solution that can notify stakeholders when questionable activity occurs with their web application code.