MageCart Gang Compromises Olympic Ticket Site and Others

Last week this publication covered the arrest of three individuals accused of being part of a MageCart gang in Indonesia. This week brings more related news regarding MageCart attacks but so far none of this group has yet to be brought in front of a court. MageCart attacks often involve the injection of malicious JavaScript code into a trusted website's eCommerce checkout page. The malicious code then skims the card details entered by the customer resulting in the theft of consumer data. MageCart groups either gain access to the website directly or via third-party tools, such as analytics applications, to inject the malicious code.

Initially, a MageCart gang targeted an Olympic ticket reseller olympictickets2020[.]com by carrying out a MageCart-like attack on the website. Security researchers Jacob Pimental and Max Kersten discovered the attack, subsequently notified the company selling the tickets, and then later published their findings in late January 2020. The two researchers discovered that the group managed to append malicious code to the end of a legitimate JavaScript library, along with extra obfuscated code to help hide the group’s intentions. Once the researchers had managed to clear all the junk code away it was discovered that the malicious code would send the skimmed card details to opendoorcdn[.]com. Before any of this information was released to the public the researchers attempted to notify the ticket reseller via Twitter and email, as well as the chat feature included on the website in question. The pair did not receive much in the way of correspondence, however, it was noticed that the malicious code had been removed from the website on January 21, 2019.

The researchers also discovered that a sister website eurotickets2020[.]com was hosting the same malicious code. As to the extent of the attacks and how many customers had been affected before the code was removed, a lot still remains unknown.

magecart gang olympic ticket compromise

The researchers did manage to find some clues which allude to the extent of the attack with the pair stating,

“Digging into the extent of the infection, Max and I found that the company’s other site, eurotickets2020.com is also compromised with the same variant of Magecart. This can be found by searching for the hash via UrlScan…The furthest date back this was scanned was 2 months ago according to UrlScan, so it is unclear exactly how long the malicious code has been on their site. Max also took a look at the URL using the Wayback Machine and found the skimmer indexed on December 3rd, 2019. The URL for the eurotickets site can be seen dated back to January 7th, 2020. This gives us a rough estimate that the code may have been on the site for 50 days, but it is always possible that it was there longer.”

Not Just Two Websites Targeted

Soon after the initial discovery, the pair of researchers found several websites also infected with malicious code intended for MageCart attacks. What was interesting with the later discoveries is that the group appeared to have changed tactics. In the attacks on the ticker resellers, a legitimate script was injected with malicious code, with the others there was no legitimate script used to hide the malicious code. This increases the chances of been detected, but as Max Kersten pointed out, begs the question as to why are the infected websites hosting the code in the first place? Further, it was stated to try and explain this oddity,

"In the previous case (where two sites were owned by the same company), the skimmer was disguised within a legitimate jQuery library. On the one hand developers could have copied the library’s code to the server and used it. On the other hand, the servers could be breached by the actor(s), who then placed the link to the skimmer on the website.”

The two researchers continued to analyze what they had found and many of the websites hosting the code were infected in October and November 2019. These sites hosting the malicious code include Supreme Product, Parts Place Inc, Bahimi, Natural Pigments, Zhik, Tapis-Deluxe, Titans Sport, TJ VIP, CDNN Sports. The websites were notified on January 27, 2019, with almost all of them removing the malicious code from websites in due course. At the time of writing, it appears Titans Sports still is yet to remove the code. The researchers also discovered several other files hosted by the group’s OpenDoorCDN domain, with the first interesting file been a replica of the skimmer used but with different variable names. Another file, which was removed from while analysis of the domain was ongoing, was a version of CoalaBot a DDoS botnet.

The researchers then looked to take down the MageCart operation at its source by taking down the domain they operated from. The domain the group hosted was registered with a Russian hosting service Selectel and was registered under a Chinese company called Webnic. Once the Chinese company was contacted they subsequently took the domain name down, effectively ceasing the group’s skimming operations, for the moment at least. If readers have had any transactions with the websites listed above they are advised to contact their bank about replacing your bank card as it may have been skimmed. Often card details stolen in this method are sold online or used for online purchases. Even with the domain being taken down and skimming operations put to a halt, the group may register another domain in the future and continue operations. eCommerce web stores are advised to follow measures intended to protect themselves and their customer base as MageCart attacks seem like they will be around for a while to come.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal