Top 3 Spookiest Data Breaches of 2018
October 30, 2018
by Ohad Hagai
Halloween came early for many corporate giants in 2018. On All Saints’ Eve, we are going to break down the top 3 hacks of the year created by 3rd party script vulnerabilities and loopholes.
Multiple sources have confirmed that Magecart is the criminal group behind the nightmares experienced by Newegg and British Airways this year. In both cases, hackers targeted customers’ payment data by injecting malicious 3rd party scripts into payment page components. Let’s take a closer look at these attacks.
British Airways – Almost 400,000 Customers affected
On 7 September, news broke that BA’s website and mobile app were breached between August 21 and September 5, affecting 380,000 people.
Traditional blacklisting techniques and Web Application Firewalls (WAFs) are becoming ineffective. More and more cybercriminals are using malicious 3rd party scripts to contaminate strategical webpages, where thousands of users perform sensitive actions such as payments or registrations.
Not detecting the data breach and not alerting the required people within 72 hours is also in direct violation of the General Data Protection Regulation (GDPR).
Newegg – 50 Million Monthly Shoppers At Risk
US-based Newegg Inc., a leading computer hardware and consumer electronics online retailer, hit the news in September 2018 for all the wrong reasons.
Cybercriminals injected 15 lines of code into Newegg’s payments page, which can be accessed via web and mobile. This malicious code stayed on the page from August 14th all the way till September 18th. The script, placed on the final checkout page, skimmed personal credit card info from unsuspecting customers.
Not only was the functionality of the script nearly identical to the original one, the attackers also managed to minimize and beautify it, making it less detectable. The stolen data was then transferred to a server with a similar domain name and a HTTPS certificate that the hackers had set up in advance.
Newegg has refused to dive into exact details, but some kind of scripting vulnerability was exploited. For example, 3rd party tags for analytics or BI purposes can potentially introduce loopholes when the vendor makes code changes or due to “hidden connections” with 4th party services.
Regardless of the exact technique used, the illegal exporting of data to the external server (creation of a malicious service) went totally undetected.
The Malicious Code Used in the Newegg Hack
Ticketmaster – 40,000 British User Accounts Compromised
On June 27, 2018 it was reported that up to 40,000 British customers may have had their credit card information stolen due to a security breach. Ticketmaster’s PR department eventually confirmed that a hacking of their systems affected UK transactions between February 2018 and 23 June 2018.
Upstart bank Monzo is even claiming that the breach started on April 6 when 70% of its customers complaining about fraud also made a purchase through Ticketmaster on the same day. Monzo promptly alerted Ticketmaster about the incidents, but the American company paid little attention to their claims.
Hackers soon discovered that this script is being run on the payments page. They modified it to harvest user information and their payment credentials.
Take Control of Your 3rd Party Tags and Scripts
First and foremost, all 3rd party tags and scripts (along with 4th party dependencies) should be scrutinized by multiple sources prior to their implementation. Besides helping with proper performance and monetary evaluation, this also helps eradicate the lack of visibility within the organization.
A proper internal approval process is key when it comes to implementing new tags and scripts. This is the first line of defence for any online company today.
Secondly, having a comprehensive service monitoring system in place can help you locate code changes in 3rd party tags and even in-house scripts. This can also help you identify newly created malicious services (exporting of sensitive data to an unidentified server) and eliminate them quickly.
Only a proactive approach can help fortify user privacy and boost online security standards. Online publishers and eCommerce vendors, regardless of their size and geographical location, have to make sure they have the required best practices and monitoring solutions in place to create a secure online domain.