Cyber Incident Victim: Euro Cup Tickets Reseller
Date:
Dec 2019
Location:
Japan
Summary
A ticket reseller for major international sporting events was compromised by MageCart attackers who injected malicious code into a legitimate JavaScript library used on their websites, enabling theft of payment card details during checkout. The skimming script, hidden within a modified Slippry library, activated on pages containing payment-related keywords and exfiltrated data to a attacker-controlled domain. Security researchers identified the infection on two affiliated sites, noting the skimmer operated undetected for over seven weeks on one platform and approximately two weeks on the other. Despite multiple disclosure attempts by researchers, including emails and live chat contacts, the operator initially failed to remediate the issue promptly. The breach exposed customers' financial information during the active skimming period before eventual mitigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2019 and early 2020, two ticket resale websites—OlympicTickets2020.com and EuroTickets2020.com—were compromised by MageCart attackers who injected card-skimming malware into their checkout processes. Security researcher Jacob Pimental first identified the malicious code on OlympicTickets2020.com, where it had been active since at least December 3, 2019. The skimmer was embedded within a legitimate JavaScript library called Slippry, specifically in the "/dist/slippry.min.js" file, using obfuscation to conceal its presence. When the Slippry slider loaded during checkout, the malware activated upon detecting payment-related keywords such as "checkout," "cart," or "billing" in the URL. It then harvested payment card details entered by customers and exfiltrated them to the attacker-controlled domain opendoorcdn[.]com. Analysis revealed the same compromised library on EuroTickets2020.com, which had been infected since at least January 7, 2020. Both sites shared identical layouts, owner information, and customer support contacts, confirming they were operated by the same entity. The skimmer remained undetected for approximately 50 days on the Olympic site and two weeks on the Euro site before researchers intervened.
Researchers Pimental and Max Kersten collaborated to analyze the threat, with Kersten recognizing similarities between the loader code and a sample he had encountered in March 2019. Using UrlScan, they confirmed the malicious Slippry library’s presence on both sites. Despite multiple responsible disclosure attempts—including emails, tweets, and live chat inquiries—the websites’ operator initially failed to respond or act. The security team for the sites dismissed the reports twice, claiming no malicious activity was found, even after researchers provided explicit details about the compromised file. The skimmer was eventually removed following persistent follow-up by Pimental and Kersten, though the exact timeline of its eradication remains unspecified. Customers who purchased tickets between December 3, 2019, and January 21, 2020, were advised by the researchers to assume their payment data had been stolen and to contact their banks for card replacements. The incident exposed an extended period of financial risk for buyers of Euro Cup and Olympics tickets, with no public statement or remediation details provided by the affected reseller.