British Airways, Ticketmaster and Newegg hacks part of massive Magecart formjacking campaign

Researchers establish ties between recent headline-grabbing attacks and a major spike in formjacking

Graphic depicting a digital padlock on a colourful background

A spate of recent attacks against established brands including British Airways, Ticketmaster, and Newegg have been found to be part of a wider formjacking campaign that's involved almost a quarter of a million attacks since mid-August.

Hacking collective Magecart has been pinpointed by researchers as the group responsible for a massive spike in attacks this month, as a host of firms continue to reckon with crippling attacks to their infrastructure, and a loss of sensitive customer data.

Formjacking, according to researchers at Symantec, involves injecting malicious script into a web page, and waiting for a user to fill out an embedded form with their personal and financial details. When the user submits the form to complete a purchase, data is sent to the merchant website, and a copy is also sent to the attacker.

Although Symantec has blocked 248,000 formjacking attempts since 13 August, more than a third of those occurred between 13 and 20 September. Moreover, the number of attacks detected during this period increased 117% against the same week in August from 41,000 last month to almost 88,500.

"While the compromise of larger organisations such as British Airways and Ticketmaster makes headlines, our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking," Symantec's security response team wrote in a blog.

"Victims may not realise they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection."

Although attackers can use many methods to compromise websites, researchers noticed that Magecart attacks tended to target weaknesses in an organisation's supply chain. Because these smaller firms provide their larger partners with a variety of services, vulnerabilities in their systems can be exploited as an entry route into the larger company.

June's Ticketmaster breach, which affected 40,000 UK customers, was the first major headline-grabbing attack that exploited the method. Magecart was able to alter JavaScript code on Ticketmaster's websites to capture customer information, having first compromising a partner's customer service chatbot.

In subsequent high-profile attacks against British Airways, which affected 380,000 customers, and hardware retailer Newegg, Magecart used a similar method while also taking steps to avoid detection.

These included setting up spoofed web domains that feigned the appearance of a legitimate company, and purchasing SSL certificates to make the servers seem legitimate.

"The group used to primarily focus on hacking into Magneto online stores," the security response team continued, "but it appears to have changed tactics recently, and we now see it using formjacking and supply chain compromise to steal payment card data."

There were 1,000 instances of formjacking blocked by Symantec between 18 and 20 September, targeting 57 individual sites. Analysis shows they were mostly online retailers, but ranged from niche shops to massive enterprises.

Symantec's researchers warned business to be aware of the dangers of software supply chain attacks, given these have been used as the main route of infection in many instances.

Although difficult to guard against, a number of measures, including testing new updates in small test environments first and behaviour monitoring of all system activity, may go some way towards mitigating the risks.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021