Cyber Incident Victim: Olympic Tickets 2020
Date:
Dec 2019
Location:
Japan
Summary
A ticket reseller for major sporting events was compromised by MageCart attackers who injected card-skimming malware into a legitimate JavaScript library (Slippry) on their websites, enabling theft of payment details during checkout. The malicious script, activated by payment-related keywords, exfiltrated data to a attacker-controlled domain and remained undetected for approximately 50 days on one site and two weeks on another. Security researchers discovered the skimmer through code analysis and identified a second infected site operated by the same entity based on shared infrastructure and ownership details. Despite repeated disclosure attempts via email, social media, and live chat, the operator initially dismissed the findings before eventually removing the malware. Customers transacting during the affected periods likely had payment card information stolen.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2019, a MageCart card-skimming operation compromised OlympicTickets2020.com, a secondary market reseller for Tokyo Summer Olympics and Euro Cup tickets. Security researcher Jacob Pimental identified malicious JavaScript hidden within a legitimate Slippry library file ("/dist/slippry.min.js") on the site, where attackers obfuscated skimming code that activated when the content slider loaded. The malware triggered upon detecting payment-related keywords like "checkout," "cart," or "billing" during transactions, harvesting credit card details and exfiltrating them to the domain opendoorcdn[.]com. Analysis revealed the skimmer had been operational since at least December 3, 2019. Pimental collaborated with researcher Max Kersten, who recognized identical loader code from a March 2019 incident. Further investigation using UrlScan identified a second compromised site, EuroTickets2020.com, which shared identical layout elements, owner information, and customer support contacts with OlympicTickets2020.com. The EuroTickets2020 infection began by at least January 7, 2020. Both sites operated under the same entity, broadening the attack surface for credential theft targeting international event attendees.
Pimental and Kersten attempted responsible disclosure through multiple channels starting in January 2020, including emails, tweets, and live chat support, but received no substantive response. The sites' security team initially claimed no malicious activity was found and closed support tickets despite researchers providing explicit technical details. Persistent follow-up requests eventually led to malware removal, though the exact remediation date was unspecified. The skimmer remained active on OlympicTickets2020.com for approximately 50 days and on EuroTickets2020.com for at least two weeks before takedown. Customers who purchased tickets between December 3, 2019, and January 21, 2020, were advised to contact their banks due to high risk of payment card compromise. The incident exposed payment data through supply-chain compromise of a trusted third-party library rather than direct server infiltration, demonstrating attackers' adaptation to evade detection.