25 January 2020

Olympic Ticket Reseller Magecart Infection

by Jacob Pimental

I have recently stumbled across a Magecart infection on an olympic ticket reseller site. This article will contain a brief analysis on the Magecart infection as well as my experience disclosing this information to the company. This is a joint analysis with Max Kersten, whose blog you can find here.

Initial Analysis

The initial infection can be found at https://olympictickets2020[.]com/dist/slippry.min.js. This appears to be the legitimate slippry.js library along with extra obfuscated javascript appended to the end of the file. The malicious code begins at the declaration of function bAQ.

The function itself appends data to the variable C46, which is then deobfuscated and append to the variable ih3. The easiest way to get the second stage payload would be to run the code inside the function in your browser’s developer console and print out the value of ih3 with the toString function.

From here the obfuscation is fairly simple. You can unminimize the JavaScript using a site like https://beautifier.io. Then we can just insert values into our javascript console and replace the obfuscated data with the result. Max Kersten has a great analysis of how the obfuscation works on his blog here. This script is not much different that the one in his article. After deobfuscation we can see that the script looks for the keywords:

onepage

checkout

store

cart

pay

panier

kasse

order

billing

purchase

basket

If it finds any of those keywords in the website, it will send the information in the credit card form to opendoorcdn[.]com.

Disclosure

Before going public about the infection, Max and I decided to tweet at the company urging them to get in touch with us. We also sent an e-mail to their customer support with the same information. The following Monday, Max decided to use the chat feature on their site to try to get in contact with their security team, since we hadn’t heard anything back. At first they did not find the malicious code and closed Max’s ticket.

After the ticket was closed, I decided to give them a call. I provided more detail as to what the infection was along with where they could find the malicious code. The support on the other line told me that they would pass along this information to their security team and they would contact me with the result.

Around noon on January 21st, Eastern Time, Max and I noticed that the malicious script was taken down, meaning they listened to our suggestions and were able to remove the malicious code from the site. The script now leads to a 404 page.

Extent

Digging into the extent of the infection, Max and I found that the company’s other site, eurotickets2020.com is also compromised with the same variant of Magecart. This can be found by searching for the hash via UrlScan.

The furthest date back this was scanned was 2 months ago according to UrlScan, so it is unclear exactly how long the malicious code has been on their site. Max also took a look at the URL using the Wayback Machine and found the skimmer indexed on December 3rd, 2019. The URL for the eurotickets site can be seen dated back to January 7th, 2020. This is gives us a rough estimate that the code may have been on the site for 50 days, but it is always possible that it was there longer.

Conclusion

If you have purchased tickets from olympictickets2020.com or eurotickets2020.com in the last 50 days I would suggest you contact your bank as your credit card information may be compromised. I would also like to thank Max Kersten for helping me with this analysis! If you have any comments or questions about feel free to reach out to me on my Twitter or LinkedIn.

Thanks for reading and happy reversing!

tags: Reverse Engineering - Malware Analysis - Magecart - Skimmer - JavaScript