British Airways, Ticketmaster and Newegg hacks part of massive Magecart formjacking campaign

(Image credit: Shutterstock)

A spate of recent attacks against established brands including British Airways, Ticketmaster, and Newegg have been found to be part of a wider formjacking campaign that's involved almost a quarter of a million attacks since mid-August.

Hacking collective Magecart has been pinpointed by researchers as the group responsible for a massive spike in attacks this month, as a host of firms continue to reckon with crippling attacks to their infrastructure, and a loss of sensitive customer data.

Formjacking, according to researchers at Symantec, involves injecting malicious script into a web page, and waiting for a user to fill out an embedded form with their personal and financial details. When the user submits the form to complete a purchase, data is sent to the merchant website, and a copy is also sent to the attacker.

Although Symantec has blocked 248,000 formjacking attempts since 13 August, more than a third of those occurred between 13 and 20 September. Moreover, the number of attacks detected during this period increased 117% against the same week in August from 41,000 last month to almost 88,500.

"While the compromise of larger organisations such as British Airways and Ticketmaster makes headlines, our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking," Symantec's security response team wrote in a blog.

"Victims may not realise they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection."

Although attackers can use many methods to compromise websites, researchers noticed that Magecart attacks tended to target weaknesses in an organisation's supply chain. Because these smaller firms provide their larger partners with a variety of services, vulnerabilities in their systems can be exploited as an entry route into the larger company.

June's Ticketmaster breach, which affected 40,000 UK customers, was the first major headline-grabbing attack that exploited the method. Magecart was able to alter JavaScript code on Ticketmaster's websites to capture customer information, having first compromising a partner's customer service chatbot.

In subsequent high-profile attacks against British Airways, which affected 380,000 customers, and hardware retailer Newegg, Magecart used a similar method while also taking steps to avoid detection.

These included setting up spoofed web domains that feigned the appearance of a legitimate company, and purchasing SSL certificates to make the servers seem legitimate.

"The group used to primarily focus on hacking into Magneto online stores," the security response team continued, "but it appears to have changed tactics recently, and we now see it using formjacking and supply chain compromise to steal payment card data."

There were 1,000 instances of formjacking blocked by Symantec between 18 and 20 September, targeting 57 individual sites. Analysis shows they were mostly online retailers, but ranged from niche shops to massive enterprises.

Symantec's researchers warned business to be aware of the dangers of software supply chain attacks, given these have been used as the main route of infection in many instances.

Although difficult to guard against, a number of measures, including testing new updates in small test environments first and behaviour monitoring of all system activity, may go some way towards mitigating the risks.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.