Report suggests Ticketmaster breach was broader than initial disclosure

A RiskIQ researcher says targeting third-party web apps is the "supply chain attack for the web."
Ticketmaster breach

A payment data breach disclosed by Ticketmaster UK last month was just one effort amid a much wider skimming campaign, according to a report released Tuesday by cybersecurity company RiskIQ.

Ticketmaster UK said that it was breached via Inbenta, a third-party customer service chat application it used on its website. According to RiskIQ, the breach was the work of Magecart, a threat group that seeks out insecure code on e-commerce website. The group then modifies or replaces the code in order to steal customers’ payment information.

Ticketmaster’s and Inbenta’s initial accounts of the breach differed slightly.  The ticketing giant stressed that the compromise happened via a tool provided by Inbenta. While Inbenta acknowledged that the JavaScript code provided to Ticketmaster was the source of the breach, Inbenta claimed the breach occurred because the ticketing company applied the code to its payments page without notifying Inbenta.

However, RiskIQ says it observed instances where the Inbenta code provided to Ticketmaster, which was hosted on Inbenta servers, “had been wholly replaced with Magecart skimmers.” RiskIQ says this suggests that Inbenta was breached.


“To modify the source of this module, the attackers would have needed access to Inbenta’s systems in some way or form,” the report says.

Another possibility that RiskIQ suggests is that an administrative account with access to the Inbenta module was breached.

“Unless the companies provide more transparency into the event, we will never know,” RiskIQ writes.

Reached for comment, an Inbenta spokesperson did not provide any more information about how Inbenta’s code was compromised, pointed CyberScoop to a statement saying that Ticketmaster was the only impacted customer.

When Ticketmaster disclosed the breach, it said Inbenta’s tool was running on several websites that the ticketing service runs: International, UK, GETMEIN! and TicketWeb. But RiskIQ says spotted the Magecart skimmer on other Ticketmaster websites: Ticketmaster Ireland, Ticketmaster Turkey, Ticketmaster New Zealand and Ticketmaster Australia.


Beyond that, RiskIQ says Ticketmaster’s Germany, Australia and International websites were compromised by way of a totally separate third-party vendor, SOCIAPlus, a digital marketing platform.

“Ticketmaster uses a lot of third parties to supply functionality on their websites which are still a risk for them as we’ve seen with Inbenta,” Yonathan Klijnsma, a researcher at RiskIQ, told CyberScoop by email. “Magecart is the supply chain attack for the web.”

RiskIQ says that Magecart’s campaign extends well beyond Ticketmaster and Inbenta, claiming it identified 800 websites that have fallen victim to its skimmer. They’ve been able to do that, RiskIQ explains, by targeting third-party applications (like Inbenta) rather than individual websites.

The researchers say they are able to link the campaign to all these victims because of a common command and control server used by Magecart.

Klijnsma said RiskIQ did not coordinate the release of its report with Ticketmaster or any other victim it identified, but that it plans to release a broader report on Magecart after completing a coordinated effort.


Ticketmaster did not respond to a request for comment.

Latest Podcasts