Security specialist Jacob Pimental discovered the card skimmer on OlympicTickets2020.com, hiding behind a legitimate library.
Hackers had compromised the website and injected malicious code in an obfuscated form in the library.
Security researcher Max Kersten worked alongside Pimental analysing the infection. In a post, Kersten explained that he had come across the same Magecart skimmer in March 2019, stating: “The structure of the loader is, aside from the random variable names and script content, exactly the same.”
After de-obfuscation, both Kersten and Pimental discovered that the script looks for specific keywords associated with a payment page such as checkout, store, order, billing and basket.
“If it finds any of those keywords in the website, it will send the information in the credit card form to opendoorcdn[.]com” said Kersten.
Both eurotickets2020.com and OlympicTickets2020.com have the same owner name and the same customer support phone number.
The skimmer on the OlympicTickets site has been present since December 3, 2019, and the skimmer on EuroTickets has been active since at least January 7, 2020. Fortunately, the skimmer has now been taken down from both websites.
After gathering its findings, the researchers attempted to tweet and and email both websites to inform them of the skimmer, but received no reply.
“The second contact via the live chat provided us with the information that the security team could not find anything, after which the case was closed. Jacob gave them a call with the request to look into it again,” said Kersten.
“The day after, I contacted them again via the live chat system. Despite our instructions, the security team could not find the skimmer. This again lead to the closure of the ticket. During that evening, the script got removed from the site.”
Customers who have purchased at either OlympicTickets2020.com or eurotickets2020.com between December 3, 2019 and January 21, 2020, are likely to have their credit card credentials compromised. Customers are urged to contact their bank and request a new card immediately.