Magecart Campaigns are Targeting e-Commerce Websites
Magecart is Threatening Online Businesses this Holiday Season
As we suggested in an earlier blog post, there have been 5,183 breaches from the first nine months of 2019 which exposed 7.9 billion records, both all-time records. The number of breaches is a 33% increase from the same time last year!
Medical services, retailers and public entities (government organizations) are those that have experienced the most breaches. Looking further into the data breach landscape, hacking remains the top breach type for a number of incidents while the Web has exposed the most records this year.
Thus, with another increase in on-line shopping this year, expect unprecedented levels of online data theft due to a lack of deployed client-side security measures. A client-side exploit is one that attacks or influences the client or in layman’s terms, your customer. It is distinguished from a server-side exploit that attacks the server. An example of a client-side exploit would be malicious JavaScript code taking advantage of a bug in a browser. Client-side attacks require user-interaction such as phishing e-mails enticing them to click a link, open a document, or somehow get to a malicious website.
SecureOps and other security organizations highlight the widespread vulnerabilities resulting from integrations that enable and enhance website functionality; typically, from 3rd party partners. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.
In reports by Tata Security and confirmed by other security organizations 98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing client-side attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are increasingly targeting online credit card information this year because of the ease of leveraging client-side attacks.
Erik Montcalm, Vice-President, Services & Technologies at SecureOps suggests that client-side security is critical if retailers or frankly any business wants to create a high-level of trust with prospects and customers. He further recommends (1) vetting 3rd party vendors, (2) making certain end-point security providers can detect Magecart-style attacks and (3) improving incident response in order to reduce the time between infection and detection as three points of focus for IT Security teams.
Cyber criminals target widespread client-side vulnerabilities to steal credentials, credit card numbers, bank information and other personal information which is then sold on the dark web and used for fraud.
Critical Statistics Concerning Website Security
- Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
- User form data sent and captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. Meaning your data is going to 10 different places on average when you fill out an online form.
- The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content visitors view on their browsers. This content is delivered via client-side connections which often do not employ effective security controls.
Macy’s Online Store Compromised in Magecart-Style Attack
The website of Macy’s was compromised and equipped with an information-stealing JavaScript, which ended up collecting users’ personal and payment card information for over a week.
According to the e-mail notice sent by Macy’s to affected customers, the breach was discovered on October 15, 2019, after the IT security team was alerted to a suspicious connection between macys.com and another website. Macy’s PR team suggested that “Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two pages on macys.com.”
The organization further explained “The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: (1) the checkout page – if credit card data was entered and ‘place order’ button was hit; and (2) the wallet page – accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”
1 in 5 Merchants Compromised by Magecart Get Re-infected
On average, it takes online merchants nearly 13 days to discover and remove the skimming scripts injected by Magecart. Reinfections typically occur within 11 days.
The success since last year of these Magecart campaigns comes from a criminal’s ability to identify the weakest link of a web supply chain. They often infect third-party code from suppliers rather than directly infecting the target companies’ own code. Thus, attackers breach a small third-party company with lesser security and inject their malicious code into a script that is sourced to multiple other companies.
Live chat suppliers or marketing analytics organizations that are linked to the website are good examples of organizations that are often targeted. When these companies, who are typically downstream in the supply chain are compromised, the malicious script is integrated directly into the on-line seller’s scripts, and they immediately start serving it to their own end-users.
Unfortunately, security programs such as basic white or gray-box penetration testing, code review, and dynamic application security testing have little value for preventing these attacks. Companies have no visibility into what these third parties are doing and no way to prevent the hackers that exploit them from accomplishing their malicious missions.
How to Prevent Magecart and Other Client-side Attacks
Magecart has been active for nearly ten years, however, is getting increased attention since last year. Since 2010 when it was first uncovered in JavaScript, it’s become so widespread that hundreds of thousands of sites, and potentially millions of users, have been affected including through Ticketmaster, British Airways, and Forbes Magazine.
Typically, the Magecart hacker substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware. Researchers have identified nearly 40 different code-injection exploits. The only way to detect this is to compare the entire e-commerce code stack line-by-line and see what has changed.
The following 6 best practices will help improve your network security to stop Magecart-style attacks:
- Identify your third-party e-commerce and online advertising vendors. You could require them to do self-assessments of their code or other audits. Organizations like Security Scorecard assign an “A” to “F” risk score to a database of organizations.
- Review and revise your security policies to include the same treatment of your contractors and suppliers as if they were working in your company. One reason why the supply chain attacks work is because the hackers are counting on poor security vetting of 3rd parties.
- Host as many of your 3rd party scripts on your own servers. That is more easily said than done, given that the average e-commerce webpage has dozens of third-party sources.
- Make sure your cyber insurance covers Magecart-style compromises.
- Implement subresource integrity (SRI) so that modified scripts are not loaded without your permission. This will require a concerted education of your DevOps teams and a thorough code review to identify these scripts.
- Review your endpoint protection provider and assess if they can identify and thwart Magecart and other third-party compromise attacks.
Also, good IDS/IPS solutions, log monitoring/management, and Content Security Policies (CSP) will help prevent client-side attacks. Our team here at SecureOps is specifically trained to help businesses who collect customer data and sell products and services on-line prevent Magecart-style attacks through managing IDS/IPS technology, 24x7x365 log management, develop improved CSP with your team and empower your IT security and Incident Response teams.