A recent breach at Ticketmaster was just "the tip of the iceberg" of a wider, massive credit card skimming operation, new research has found.
At least 800 e-commerce sites are said to be affected, after they included code developed by third-party companies and later altered by hackers, according to security firm RiskIQ.
The credit card skimming effort of a massive campaign by a threat group -- dubbed Magecart, operational since at least 2015 -- targets software companies that build and provide code that developers include on their websites to improve the site or customer experience. After the hackers break in and alter the code, it affects every website that it runs on, potentially affecting millions of users every day.
Yonathan Klijnsma, a threat researcher at RiskIQ, said Magecart has a larger reach "than any other credit card breach to date, and isn't stopping any day soon."
By targeting each third-party code supplier, the hackers can in some cases get "nearly 10,000 victims instantly," said the research.
Cast your mind back last week to the Ticketmaster breach. The ticket selling giant admitted that some customers had their payment data compromised because its website was running code from Inbenta, a customer support software company, which hackers had altered. It's not uncommon for websites to rely on third-party code, hosted on other sites and services, to support their own. But they present a single point of failure, which, if breached, can affect every site that the code is loaded on.
Inbenta said only Ticketmaster was affected, while Ticketmaster said only a few of its sites ran the compromised code.
But RiskIQ now says that the Ticketmaster breach was far bigger than first thought, after several of its global sites -- including its US site, which had initially ruled out being affected -- was running code from another third-party company that had also been compromised by the threat group.
"Any button or form is hooked so when a user clicks a button or submits a form the fields on the page, the skimmer extracts the name and value of the fields, combines them, and sends them to the drop server owned by the Magecart actors," said the RiskIQ researchers.
A spokesperson for Ticketmaster said prior to publication that it was "hard to comment" without seeing the report, and reiterated earlier comments, denying the claims in the new report.
SociaPlus did not respond to a request for comment.
Magecart also targeted other third-party code companies, which e-commerce sites rely on for analytics, website support, and content delivery.
We checked the affected code of several companies named in the report, including PushAssist and Clarity Connect, and found their libraries were still serving malicious code -- except Annex Cloud, which appeared to have removed or replaced the code.
All of the code libraries, served on a countless number of websites, were skimming data from those sites and sending them to a central Magecart-controlled server.
In one case, the hackers left a message, saying: "If you will delete my code one more time I will encrypt all your sites!"
None of the companies responded to a request for comment. If that changes, we'll update.
Klijnsma said that it wasn't clear how each company was compromised. With so many companies affected, a co-ordinated disclosure was impossible, he said.
But he said the Magecart threat group "extends well beyond Ticketmaster," discovering close to 100 top-tier sites, like large brands and online shops, but did not name any specific companies.
"Personally I don't trust a single online store anymore," he said. "Every single one of them could have their supply chain of functionality suppliers compromised."