Olympic Ticket Reseller Magecart Infection
25 January 2020
I have recently stumbled across a Magecart infection on an olympic ticket reseller site. This article will contain a brief analysis on the Magecart infection as well as my experience disclosing this information to the company. This is a joint analysis with Max Kersten, whose blog you can find here.
The function itself appends data to the variable C46, which is then deobfuscated and append to the variable ih3. The easiest way to get the second stage payload would be to run the code inside the function in your browser’s developer console and print out the value of ih3 with the toString function.
If it finds any of those keywords in the website, it will send the information in the credit card form to opendoorcdn[.]com.
Before going public about the infection, Max and I decided to tweet at the company urging them to get in touch with us. We also sent an e-mail to their customer support with the same information. The following Monday, Max decided to use the chat feature on their site to try to get in contact with their security team, since we hadn’t heard anything back. At first they did not find the malicious code and closed Max’s ticket.
After the ticket was closed, I decided to give them a call. I provided more detail as to what the infection was along with where they could find the malicious code. The support on the other line told me that they would pass along this information to their security team and they would contact me with the result.
Around noon on January 21st, Eastern Time, Max and I noticed that the malicious script was taken down, meaning they listened to our suggestions and were able to remove the malicious code from the site. The script now leads to a 404 page.
Digging into the extent of the infection, Max and I found that the company’s other site, eurotickets2020.com is also compromised with the same variant of Magecart. This can be found by searching for the hash via UrlScan.
The furthest date back this was scanned was 2 months ago according to UrlScan, so it is unclear exactly how long the malicious code has been on their site. Max also took a look at the URL using the Wayback Machine and found the skimmer indexed on December 3rd, 2019. The URL for the eurotickets site can be seen dated back to January 7th, 2020. This is gives us a rough estimate that the code may have been on the site for 50 days, but it is always possible that it was there longer.
If you have purchased tickets from olympictickets2020.com or eurotickets2020.com in the last 50 days I would suggest you contact your bank as your credit card information may be compromised. I would also like to thank Max Kersten for helping me with this analysis! If you have any comments or questions about feel free to reach out to me on my Twitter or LinkedIn.
Thanks for reading and happy reversing!