DJ with headphones at night club showing credit card theft

Over Two Years of Credit Card Theft: See Tickets Discloses Online Skimmer That Has Been Operating Since Mid-2019

Anyone that has made an online purchase from See Tickets in recent years is a possible victim of credit card theft, as the company has disclosed that a skimmer was operating on its website from June 2019 to January 2022.

See Tickets is owned by major entertainment conglomerate Vivendi and operates in the United States, Canada and multiple countries throughout Europe. In recent years the company has sold as many as 20 million tickets per year, servicing major events such as Glastonbury Festival, LA Pride and the Pitchfork Music Festival.

Credit card theft went undetected for years, took nine months to fully remediate

See Tickets launched a new digital ticketing system in 2019 that was meant to combat automated bots that buy up tickets and “scalp” them at inflated prices, adding a barcode tied to a personal online profile. But months before that system went active, the company had been quietly penetrated by hackers and had a skimmer designed for credit card theft placed on an undisclosed domain.

It remains unclear exactly what regions of the world were impacted and how many credit card theft victims there are in total, as See Tickets has not released much information about the attack. The company has a global website in addition to five region-specific domains, and it is still unknown which of these was impacted.

It is known that the skimmer was designed to siphon off all of the payment information entered during the online purchase process: full name, billing address with zip code, card number, CVV code and expiration date. The company specified that bank information, Social Security numbers and state identification numbers were not stolen (in cases where those might have been asked for during purchase).

The skimmer consisted of JavaScript code inserted into a purchase page during a breach on June 25, 2019. The company detected the breach in April 2021, but was not able to fully remove the malicious code until January 2022. According to an internal investigation that concluded in September of this year, the credit card theft window may have been open during that full period of just over 30 months.

The public notification that was recently issued by See Tickets urges customers to be vigilant for unauthorized purchases appearing on any cards they may have used to buy tickets, but did not offer any assistance or new contact information for those that believe they may have been victims of credit card theft.

No information yet from See Tickets on geographic range, but customers in several US States believed to be impacted

Though See Tickets has not confirmed which specific countries were impacted (or if the entire global system was breached), there are some crumbs of information that indicate United States customers were impacted at a minimum.

The information on the credit card theft stems from a data breach notification filed with the Montana Attorney General’s office, but it also lists contact information for identity theft resources for a number of other states.

A similar notification was filed with the Attorney General of Texas, indicating that about 92,000 See Tickets customers in the state have been impacted by credit card theft tied to the incident. Letters of notification of the breach were reportedly mailed out to each of these victims on October 24.

The use of e-skimmers for online credit card theft saw an immediate uptick with the start of the Covid-19 pandemic and has continued at elevated levels. This has been headlined by Magecart attacks, a particular piece of malware used by several prominent cybercrime groups. Magecart and similar advanced skimmers often dwell on victim sites for months (or years in this case) because automated crawlers and scans often fail to detect them. The malicious code is often concealed by injecting scripts that call it from a remote server into the page rather than directly placing it on the target website. Skilled skimmer groups also use a new domain name with each of these new attacks to further hide from automated detection systems, and usually bundle the malicious code with legitimate JavaScript frameworks to make it less noticeable.

Online skimmers are also a particular credit card theft problem as there is little that the end user can do to protect themselves. Home antivirus and antimalware systems will usually not notice skimmers while an online purchase is being made, and the attack does not alter the appearance or function of legitimate sites in any way. Customers essentially have to rely on the e-commerce site to be on top of their internal security, but an extra layer of protection can be added by using intermediary payment processors that require a separate login during payment (like PayPal) when the option is available.

As Erich Kron, security awareness advocate at KnowBe4, notes businesses that accept online payments need to incorporate regular code reviews into their security posture to ensure that they are not unwittingly being used as a credit card theft farm:  “This was a very long time to have code like this running on an organization’s website. In addition, the amount of time that passed from when it was discovered, to when it was removed was exceptionally long. Code reviews are a necessary part of running an e-commerce website with any significant amount of traffic at all. Incident response plans should be in place to quickly deal with instances of malware either within the organization, or on the website.”