British Airways, Ticketmaster and Newegg hacks part of massive Magecart formjacking campaign

Researchers establish ties between recent headline-grabbing attacks and a major spike in formjacking

Graphic depicting a digital padlock on a colourful background

A spate of recent attacks against established brands including British Airways, Ticketmaster, and Newegg have been found to be part of a wider formjacking campaign that's involved almost a quarter of a million attacks since mid-August.

Hacking collective Magecart has been pinpointed by researchers as the group responsible for a massive spike in attacks this month, as a host of firms continue to reckon with crippling attacks to their infrastructure, and a loss of sensitive customer data.

Formjacking, according to researchers at Symantec, involves injecting malicious script into a web page, and waiting for a user to fill out an embedded form with their personal and financial details. When the user submits the form to complete a purchase, data is sent to the merchant website, and a copy is also sent to the attacker.

Although Symantec has blocked 248,000 formjacking attempts since 13 August, more than a third of those occurred between 13 and 20 September. Moreover, the number of attacks detected during this period increased 117% against the same week in August from 41,000 last month to almost 88,500.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"While the compromise of larger organisations such as British Airways and Ticketmaster makes headlines, our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking," Symantec's security response team wrote in a blog.

"Victims may not realise they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection."

Although attackers can use many methods to compromise websites, researchers noticed that Magecart attacks tended to target weaknesses in an organisation's supply chain. Because these smaller firms provide their larger partners with a variety of services, vulnerabilities in their systems can be exploited as an entry route into the larger company.

June's Ticketmaster breach, which affected 40,000 UK customers, was the first major headline-grabbing attack that exploited the method. Magecart was able to alter JavaScript code on Ticketmaster's websites to capture customer information, having first compromising a partner's customer service chatbot.

In subsequent high-profile attacks against British Airways, which affected 380,000 customers, and hardware retailer Newegg, Magecart used a similar method while also taking steps to avoid detection.

These included setting up spoofed web domains that feigned the appearance of a legitimate company, and purchasing SSL certificates to make the servers seem legitimate.

Advertisement - Article continues below

"The group used to primarily focus on hacking into Magneto online stores," the security response team continued, "but it appears to have changed tactics recently, and we now see it using formjacking and supply chain compromise to steal payment card data."

There were 1,000 instances of formjacking blocked by Symantec between 18 and 20 September, targeting 57 individual sites. Analysis shows they were mostly online retailers, but ranged from niche shops to massive enterprises.

Symantec's researchers warned business to be aware of the dangers of software supply chain attacks, given these have been used as the main route of infection in many instances.

Although difficult to guard against, a number of measures, including testing new updates in small test environments first and behaviour monitoring of all system activity, may go some way towards mitigating the risks.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020