Matt Cardy/Getty Images
show image

Magecart: group behind BA and Ticketmaster breaches is targeting hundreds of sites

When news of British Airways’ huge data breach emerged earlier this month, it was initially considered to be an isolated incident.

But just a few days later, researchers at RiskIQ linked the attack to the Magecart group, a cybercriminal gang also thought to have been behind the other big breach of the summer: the Ticketmaster hack.

Magecart is known for a kind of attack called formjacking, in which criminals insert malicious JavaScript code into e-commerce sites to harvest their customers’ credit card details.

Now, new research from Symantec suggests that rather than turning down the heat after its alleged hits on Ticketmaster and BA, Magecart has ratcheted up its campaigns.

Since mid-August, Symantec has blocked almost a quarter of a million instances of attempted formjacking, and the surge shows no signs of abating; Symantec blocked 88,500 attacks during the week of 13-20 September, more than twice as many as the same week in August.

“As we can see from the publicly reported attacks, Magecart is targeting large e-commerce businesses like Ticketmaster, British Airways, and Newegg,” Symantec researchers wrote in a blog.

To better understand the targets, analysts examined 1,000 instances of formjacking. “57 individual websites were impacted,” the analysts said. “[They] were mostly online retail sites ranging from small niche sites to larger retail operations. Websites affected ranged from a fashion retailer in Australia, to a supplier of outdoor accessories in France, and a fitness retailer in Italy.”

The Ticketmaster breach affected up to 40,000 customers in the UK alone and has been blamed on formjacking malware in a customer support product supplied by a third party. RiskIQ research suggested the campaign to infiltrate third party suppliers exposed at least 800 e-commerce sites.

“The danger is,” Symantec’s researchers noted, “that if Magecart can compromise one widely used third-party supplier, they could potentially infect thousands of sites in one go.”