British Airways, Ticketmaster and Newegg hacks part of massive Magecart formjacking campaign

Researchers establish ties between recent headline-grabbing attacks and a major spike in formjacking

Graphic depicting a digital padlock on a colourful background

A spate of recent attacks against established brands including British Airways, Ticketmaster, and Newegg have been found to be part of a wider formjacking campaign that's involved almost a quarter of a million attacks since mid-August.

Hacking collective Magecart has been pinpointed by researchers as the group responsible for a massive spike in attacks this month, as a host of firms continue to reckon with crippling attacks to their infrastructure, and a loss of sensitive customer data.

Advertisement - Article continues below

Formjacking, according to researchers at Symantec, involves injecting malicious script into a web page, and waiting for a user to fill out an embedded form with their personal and financial details. When the user submits the form to complete a purchase, data is sent to the merchant website, and a copy is also sent to the attacker.

Although Symantec has blocked 248,000 formjacking attempts since 13 August, more than a third of those occurred between 13 and 20 September. Moreover, the number of attacks detected during this period increased 117% against the same week in August from 41,000 last month to almost 88,500.

"While the compromise of larger organisations such as British Airways and Ticketmaster makes headlines, our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking," Symantec's security response team wrote in a blog.

Advertisement
Advertisement - Article continues below

"Victims may not realise they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection."

Advertisement - Article continues below

Although attackers can use many methods to compromise websites, researchers noticed that Magecart attacks tended to target weaknesses in an organisation's supply chain. Because these smaller firms provide their larger partners with a variety of services, vulnerabilities in their systems can be exploited as an entry route into the larger company.

June's Ticketmaster breach, which affected 40,000 UK customers, was the first major headline-grabbing attack that exploited the method. Magecart was able to alter JavaScript code on Ticketmaster's websites to capture customer information, having first compromising a partner's customer service chatbot.

In subsequent high-profile attacks against British Airways, which affected 380,000 customers, and hardware retailer Newegg, Magecart used a similar method while also taking steps to avoid detection.

These included setting up spoofed web domains that feigned the appearance of a legitimate company, and purchasing SSL certificates to make the servers seem legitimate.

"The group used to primarily focus on hacking into Magneto online stores," the security response team continued, "but it appears to have changed tactics recently, and we now see it using formjacking and supply chain compromise to steal payment card data."

Advertisement - Article continues below

There were 1,000 instances of formjacking blocked by Symantec between 18 and 20 September, targeting 57 individual sites. Analysis shows they were mostly online retailers, but ranged from niche shops to massive enterprises.

Symantec's researchers warned business to be aware of the dangers of software supply chain attacks, given these have been used as the main route of infection in many instances.

Although difficult to guard against, a number of measures, including testing new updates in small test environments first and behaviour monitoring of all system activity, may go some way towards mitigating the risks.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020