x

The latest industry news to your inbox.


I'd like to hear about marketing opportunities

    

I accept IQ Magazine's Terms and Conditions and Privacy Policy

Ticketmaster hack “the tip of the iceberg”

The recent Ticketmaster data breach formed part of a “massive digital credit card-skimming campaign” that affected more than 800 other websites, according to a leading cyber-security company.

The breach, announced in late June, involved malicious software on a customer-support product hosted by a third-party supplier, Inbenta Technologies, that ran on Ticketmaster International, Ticketmaster UK, Get Me In! and TicketWeb websites. Those potentially affected are British customers who bought or attempted to buy tickets between February and 23 June 2018, and international customers who used the service between September 2017 and 23 June 2018.

While the hack was initially thought to be an isolated incident, a new report by security firm RiskIQ, Inside and Beyond Ticketmaster: The Many Breaches of Magecart, reveals the compromised Ibenta plug-in also ran on hundreds of other websites, including “many of the most frequented ecommerce sites in the world”.

According to RiskIQ, the attack was undertaken by a hacking group, Magecart, who placed a “digital skimmer” – an internet version of the physical ‘skimmers’ hidden in credit-card readers in shops and cash machines – on the Ticketmaster sites via Ibenta.

In addition to the Ibenta Technologies software, the RiskIQ report continues, Magecart injected its skimmer into another third-party supplier, SociaPlus, which is running on other Ticketmaster websites, including Ticketmaster Germany and Ticketmaster Australia.

Also affected is a third supplier, known as PushAssist, which provides analytics for websites, says RiskIQ.

“The Magecart problem extends to ecommerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern”

Describing the Ticketmaster incident as “the tip of the iceberg, the report’s authors, Yonathan Klijnsma and Jordan Herman, say: “The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to ecommerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern. We’ve identified over 800 victim websites from Magecart’s main campaigns, making it likely bigger than any other credit card breach to date. In the case of a single, highly targeted campaign we dubbed SERVERSIDE, we identified nearly 100 top-tier victims, mainly online shops of some of the largest brands in the world.

“Even more disturbing, the Ticketmaster breach demonstrates that the Magecart actors are continuing to refine their techniques and get better at target selection. Previously, they compromised individual websites and added new Javascript or links to remote Javascript files, but they seem to have [got] smarter – rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts and add their skimmer. In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly.

“Currently, the publicly reported breaches are wrongly interpreted and sometimes aren’t breaches at all. They’re all part of the operation of Magecart, a single group that many reports fail to identify, which is spreading faster and wider than ever before.”

RiskIQ first identified the existence of Magecart – which has previously compromised the websites of publisher Faber and Faber and fashion brands Guess and Rebecca Minkoff – in October 2016.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.

MSG venues hit by credit card security breach

In an almost year-long security breach, customers at five venues operated by the Madison Square Garden Company (MSG) may have their names, credit card numbers and card expiration dates stolen by hackers with “unauthorised access” to MSG’s payment-processing system.

Anyone who paid for merch, food or beverages at Radio City Music Hall, the Beacon Theatre, The Chicago Theatre or the Garden itself (including The Theater at Madison Square Garden) between 9 November 2015 and 24 October 2016 may be affected, the New York-based company warns, although it stresses it has “fixed the issue, and customers may use their cards with confidence at MSG venues”.

“It is important to note that MSG has fixed the issue, and customers may use their cards with confidence at MSG venues”

MSG is providing information and advice to affected customers on a dedicated section of its website, and advises that anyone with suspicious activity on their card statement should “immediately report any unauthorised charges to their card issuer, because payment card rules generally provide that cardholders are not responsible for unauthorised charges reported in a timely manner”.

The Madison Square Garden Company grew turnover 21% in the most recent financial quarter, to nearly US$182 million.

 


Get more stories like this in your inbox by signing up for IQ Index, IQ’s free email digest of essential live music industry news.