How to Defend Against Magecart Skimming Cyber Attacks

How to Defend Against Magecart Skimming Cyber Attacks

Defending Against Magecart Skimming Cyber Attacks

Prior to the holidays last year and a couple of months before the outbreak of the Coronavirus pandemic we wrote about our concern with regard to the increase in Magecart attacks against online retailers which you can find here https://www.secureops.com/data-breaches/magecart/.

We suggested that in reports by Tata Security and confirmed by other security organizations 98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing client-side attacks like Magecart. In related warnings, both the FBI and the PCI Council cautioned that hackers were increasingly targeting online credit card information this year because of the ease of leveraging client-side attacks.

As of the middle of this year, the data is telling us that Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses in the United States and Canada as well as the rest of the world to a varying degree. Operating on an outdated content management system (CMS) like Magneto, utilizing unpatched add-ons, or having administrators’ credentials compromised through SQL injections leaves online or e-commerce companies vulnerable to a variety of different attack vectors leveraged by cybercriminals operating under the Magecart umbrella.

Figure 1 – Image from Virus Bulletin – https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-inside-magecart-history-behind-covert-card-skimming-assault-e-commerce-industry/

The Keeper Threat Group and the Increase in Magecart Attacks

Since its launch three years ago, the Keeper threat group has compromised more than 570 e-commerce websites, from small mom and pop online retailers to Apple product resellers. The Keeper group is one of the larger cybercriminal organizations operating under the Magecart umbrella. The organization consists of an interconnected network of 64 attacker domains and 73 exfiltration domains.

Researchers at Gemini Advisory recently uncovered an unsecured access log on the Keeper control panel which contained over 184,000 credit and debit cards that they had skimmed from online retailers and which had timestamps that ranged from July 2018 to April 2019. Gemini labeled this group “Keeper” based on its repeated usage of a single domain called fileskeeper[.]org to inject malicious payment card-stealing JavaScript (JS) into the website’s HTML code.

Gemini Advisory suggested that “Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark-web median price of $10 per compromised card-not-present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards.”

There are likely dozens of individual cybercrime organizations that can be labeled under the Magecart umbrella and that actively use unique methods to target hundreds and thousands of e-commerce sites annually. Another criminal organization under the Magecart umbrella for example is responsible for compromising a Volusion CMS, which infected over 6,000 e-commerce sites with payment card-stealing scripts for nearly a month around this time last year.

How Magecart Cyber Attacks Work

One of the most significant attacks in addition to the Macy’s Magecart attack that we covered in our previous Magecart blog post occurred in 2018 when British Airways was when attackers stole personal data from hundreds of thousands of its customers in a Magecart attack. Attackers were able to insert around 22 lines of JavaScript code into the airline’s website, allowing them to capture customer credit card numbers and other sensitive pieces of information. The malicious JavaScript code is used to skim data from HTML forms and send that data to servers controlled by the attackers. The Magecart hackers modified the code to capture the submitted data from the payment forms and send it to their designated server which was located in Romania. This type of attack is what we are seeing repeatedly from the dozen or so large cybercrime organizations operating under the Magecart umbrella.

There are two approaches hackers take when it comes to Magecart attacks; the first is focused on attacking the organization’s main website or e-commerce application, while the second focuses on exploiting third-party tags. In both cases, the intent is to insert malicious JavaScript which can then skim or copy data from HTML forms and send that data to servers controlled by the attackers.

User form data sent and captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. Meaning your data is going to 10 different places on average when you fill out an online form.

Users typically enter personal data either for authentication, searches, or purchasing a good or service with a credit or debit card on a website like Macy’s or British Airways through an HTML form. Magecart attacks utilize JavaScript to monitor for this kind of sensitive data when it is entered into specific form fields, such as a password, social security number, or a credit card number. They then make a copy of it and send the copy to a different server on the internet.

Figure 2 – Magecart Javascript Attack Image from Trend Micro Blog Post

In the British Airways attack hackers inserted malicious code into the airline’s baggage claim subdomain, which was likely far less secure than the main website. This code was referenced on the main website, which when run within the airline’s customers’ browsers, could skim credit card and other personal information.

Why is it so Difficult to Defend Against Magecart Attacks?

On average, it takes online merchants nearly 13 days to discover and remove the skimming scripts injected by Magecart. Reinfections typically occur within 11 days. The success since last year of these Magecart campaigns comes from a criminal’s ability to identify the weakest link of a web supply chain. They often infect third-party code from suppliers rather than directly infecting the target companies’ own code. Thus, attackers breach a small third-party company with lesser security and inject their malicious code into a script that is sourced to multiple other companies.

High-profile compromises including the Macy’s attack, as well as Ticketmaster, Forbes, and Amazon CloudFront have brought the threat of online card skimming to the list of major concerns for every online retailer.

There are several reasons for the success of Magecart: (1) There are fortunes to be made via card data theft as we suggested with Keeper (2) Compromising vendors or 3rd party partners that are unable to defend themselves adequately or uncover the attack is far easier than targeting an online retailer (3) There has been little threat of punishment or ramp up in law enforcement activity to stop the momentum of these attacks.

How to Defend Against Magecart Attacks

Magecart attacks are difficult for IT security teams to identify because they do not take place on the provider’s backend infrastructure, but instead within the purchaser’s browser. This means data is transferred directly from the browser to malicious servers. There is typically no interaction with the backend website server. Further, the average website relies on 31 third-party integrations, which provide nearly two-thirds of the content visitors view on their browsers. This content is delivered via client-side connections which often do not employ effective security controls.

In addition, user form data sent and captured on forms available on 98% of websites analyzed is exposed to 10 times more domains than intended by the website owner. Meaning your personal data is going to 10 different places on average when you fill out an online form.

As a result, auditing the backend infrastructure and code supporting website on a regular basis will not stop attacks, because the issue is happening in the user’s browser which traditional auditing won’t detect.

This means Magecart attacks can only be discovered when the company is alerted to credit card fraud or a client-side code review including all the third-party services takes place. Because of this, there are still many sites online today that hold malicious Magecart JavaScript code within their pages and are likely still leaking sensitive information.

How to Defend Against Magecart Cyber Attacks

The following 7 Cyber Defense Tactics will Bolster Your Ability to Stop Magecart Attacks:

  • Regularly patch and update software; disable, restrict, or secure outdated components or 3rd party code or plugins. Also, bolster credentials or authentication mechanisms across systems. IT security teams should proactively monitor their websites and client-side applications for signs of malicious activities such as unauthorized access and modification, data exfiltration, and the execution of unknown scripts.
  • Take a Zero-Trust approach with JavaScript on their sites, starting with a policy to block access by default to any customer or sensitive information entered in web forms and cookies. In addition, only allow a select set of your own, vetted scripts to access customer or other sensitive data. By following this Zero Trust approach, even if this type of skimming code does get on your website, it is not able to access any of the sensitive information.
  • Magecart is increasingly taking advantage of suppliers in their attacks. Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These 3rd parties often integrate with thousands of websites, thus, when one supplier is compromised, Magecart has essentially breached thousands of sites at once. Review and revise your security policies to include more vigorous scrutiny of your 3rd party partners.
  • Magecart will always be intrinsically connected to one program: Magento. Magento didn’t come into existence until 2007 but is now running on tens of thousands of sites, mainly due to Adobe’s acquisition of the platform. Magneto is often customized with code created for functionality, not security and many of the e-commerce stores that use Magneto do not patch regularly.
  • Make sure your cyber insurance covers Magecart-style compromises.
  • Review your endpoint protection provider and assess if they can identify and thwart Magecart and other third-party compromise attacks.

As we suggested in our previous blog post, SecureOps and other security organizations highlight the widespread vulnerabilities resulting from integrations that enable and enhance website functionality; typically, from 3rd party partners. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information. SecureOps helps organizations improve their vulnerability management programs, bolster defense through penetration testing, and provide incident response capabilities so that any attack is stopped immediately.

To Learn More About How to Defend Against Magecart Attacks or If You Have Been Attacked Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.

You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://www.secureops.com/contact-us/


Digital Marketing Specialist for IT/Cyber Security Organizations. Passionate about empowering organizations with content that will attract prospects and engage customers.