{ "id": "86c90b5c-8ae5-4e31-9246-e350bf14ddd6", "created_at": "2026-04-06T01:31:18.320346Z", "updated_at": "2026-04-10T03:24:11.775116Z", "deleted_at": null, "sha1_hash": "2cb1a1fb413d4854bcdbb4b8474f2b2696e5f5dd", "title": "Olympic Ticket Reseller Magecart Infection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 461064, "plain_text": "Olympic Ticket Reseller Magecart Infection\r\nBy Jacob Pimental\r\nPublished: 2020-01-25 · Archived: 2026-04-06 01:11:22 UTC\r\n25 January 2020\r\nBy Jacob Pimental\r\nI have recently stumbled across a Magecart infection on an olympic ticket reseller site. This article will contain a\r\nbrief analysis on the Magecart infection as well as my experience disclosing this information to the company. This\r\nis a joint analysis with Max Kersten, whose blog you can find here.\r\nInitial Analysis\r\nThe initial infection can be found at https://olympictickets2020[.]com/dist/slippry.min.js. This appears to be the\r\nlegitimate slippry.js library along with extra obfuscated javascript appended to the end of the file. The malicious\r\ncode begins at the declaration of function bAQ.\r\nhttps://www.goggleheadedhacker.com/blog/post/14\r\nPage 1 of 3\n\nThe function itself appends data to the variable C46, which is then deobfuscated and append to the variable ih3.\r\nThe easiest way to get the second stage payload would be to run the code inside the function in your browser’s\r\ndeveloper console and print out the value of ih3 with the toString function.\r\nFrom here the obfuscation is fairly simple. You can unminimize the JavaScript using a site like\r\nhttps://beautifier.io. Then we can just insert values into our javascript console and replace the obfuscated data with\r\nthe result. Max Kersten has a great analysis of how the obfuscation works on his blog here. This script is not much\r\ndifferent that the one in his article. After deobfuscation we can see that the script looks for the keywords:\r\nonepage\r\ncheckout\r\nstore\r\ncart\r\npay\r\npanier\r\nkasse\r\norder\r\nbilling\r\npurchase\r\nbasket\r\nIf it finds any of those keywords in the website, it will send the information in the credit card form to\r\nopendoorcdn[.]com.\r\nDisclosure\r\nBefore going public about the infection, Max and I decided to tweet at the company urging them to get in touch\r\nwith us. We also sent an e-mail to their customer support with the same information. The following Monday, Max\r\ndecided to use the chat feature on their site to try to get in contact with their security team, since we hadn’t heard\r\nanything back. At first they did not find the malicious code and closed Max’s ticket.\r\nAfter the ticket was closed, I decided to give them a call. I provided more detail as to what the infection was along\r\nwith where they could find the malicious code. The support on the other line told me that they would pass along\r\nthis information to their security team and they would contact me with the result.\r\nhttps://www.goggleheadedhacker.com/blog/post/14\r\nPage 2 of 3\n\nAround noon on January 21st, Eastern Time, Max and I noticed that the malicious script was taken down, meaning\r\nthey listened to our suggestions and were able to remove the malicious code from the site. The script now leads to\r\na 404 page.\r\nExtent\r\nDigging into the extent of the infection, Max and I found that the company’s other site, eurotickets2020.com is\r\nalso compromised with the same variant of Magecart. This can be found by searching for the hash via UrlScan.\r\nThe furthest date back this was scanned was 2 months ago according to UrlScan, so it is unclear exactly how long\r\nthe malicious code has been on their site. Max also took a look at the URL using the Wayback Machine and found\r\nthe skimmer indexed on December 3rd, 2019. The URL for the eurotickets site can be seen dated back to January\r\n7th, 2020. This is gives us a rough estimate that the code may have been on the site for 50 days, but it is always\r\npossible that it was there longer.\r\nConclusion\r\nIf you have purchased tickets from olympictickets2020.com or eurotickets2020.com in the last 50 days I would\r\nsuggest you contact your bank as your credit card information may be compromised. I would also like to thank\r\nMax Kersten for helping me with this analysis! If you have any comments or questions about feel free to reach out\r\nto me on my Twitter or LinkedIn.\r\nThanks for reading and happy reversing!\r\nMalware Analysis, Magecart, Skimmer, JavaScript\r\nMore Content Like This:\r\nSource: https://www.goggleheadedhacker.com/blog/post/14\r\nhttps://www.goggleheadedhacker.com/blog/post/14\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.goggleheadedhacker.com/blog/post/14" ], "report_names": [ "14" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439078, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2cb1a1fb413d4854bcdbb4b8474f2b2696e5f5dd.pdf", "text": "https://archive.orkl.eu/2cb1a1fb413d4854bcdbb4b8474f2b2696e5f5dd.txt", "img": "https://archive.orkl.eu/2cb1a1fb413d4854bcdbb4b8474f2b2696e5f5dd.jpg" } }