Magecart group jumps from Olympic ticket website to new wave of e-commerce shops

Skimmer references were spotted on domains serving customers worldwide.

How was Bezos phone hacked? Probably using Pegasus-3 spyware

A Magecart group has expanded its operations by compromising not only an Olympic ticket reseller but also a number of other websites referencing a single malicious domain hosting the underlying skimmer code. 

Magecart is a term used to describe the use of skimmer code to compromise e-commerce payment platforms. Legitimate websites seemingly fine to trust -- the British Airways portal and Ticketmaster being prime examples -- have been infected with this form of malicious code in the past, leading to the theft of consumer payment card numbers. 

JavaScript is either hosted by these domains or referenced. It can take time to spot hidden, malicious code in payment portals, and so weeks can pass before an infection is eradicated. Information stolen by cyberattackers can then be used to create clone cards or make fraudulent online purchases. 

See also: Magecart strikes again: hotel booking websites come under fire

Last month, security researchers Jacob Pimental and Max Kersten published research on a Magecart infection uncovered at Olympic ticket reseller olympictickets2020[.]com. Malicious code was obfuscated and appended at the end of a legitimate library, slippry.js, and used keywords -- including checkout, cart, pay, and basket -- to hone in on payment-related pages. Any stolen information was then sent to opendoorcdn[.]com. 

The company in question was notified and while the organization originally ignored the researchers' findings, the code was eventually removed. However, the team also found the same Magecart infection on a sister website, eurotickets2020[.]com. 

In a continuation of the investigation, the duo has uncovered a new swathe of websites that also reference the OpendoorCDN skimmer, and are therefore compromised by the same malicious code, detailed in a blog post on Monday. 

Some of the websites, listed below, have been infected since October and November last year. (Correction on the below: Bahimi: 19 November).

screenshot-2020-02-03-at-09-27-51.png

An analysis of the OpendoorCDN domain also revealed several other files of interest. One is a replica of the original skimmer with altered variable names and a different hash, whereas the other -- now removed -- was a packed .NET binary that creates a process called edge.exe, later revealed to be a version of the Coalabot botnet. 

CNET: FCC says phone company broke laws around location sharing

The websites infected with the skimmer were contacted, with initial emails sent out on January 27. At the time of writing, titanssports.com.b may still be impacted by the skimmer whereas the others have removed references to the skimmer. 

At the source, the skimmer was hosted by Russian hosting provider Selectel and the domain name was registered by a Chinese company called Webnic. Several days after being contacted, Webnic asked for proof of the malicious content and then suspended the domain, rendering every reference to OpendoorCDN useless and preventing the further injection of malicious code into websites; at least, for now. 

TechRepublic: Hackers using coronavirus scare to spread Emotet malware in Japan

Last month, Interpol and Indonesian police arrested three men on suspicion of being part of a Magecart gang in what is thought to be the first case of Magecart-related arrests. The unnamed suspects are 23, 27, and 35 years old. 

ZDNet has reached out to titanssports.com.br and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0