How to Defend Against Magecart Skimming Cyber Attacks
by Robert Bond
Defending Against Magecart Skimming Cyber Attacks
Prior to the holidays last year and a couple of months before the outbreak of the Coronavirus pandemic we wrote about our concern with regard to the increase in Magecart attacks against online retailers which you can find here https://secureops.com/data-breaches/magecart/.
We suggested that in reports by Tata Security and confirmed by other security organizations 98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing client-side attacks like Magecart. In related warnings, both the FBI and the PCI Council cautioned that hackers were increasingly targeting online credit card information this year because of the ease of leveraging client-side attacks.
As of the middle of this year, the data is telling us that Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses in the United States and Canada as well as the rest of the world to a varying degree. Operating on an outdated content management system (CMS) like Magneto, utilizing unpatched add-ons, or having administrators’ credentials compromised through SQL injections leaves online or e-commerce companies vulnerable to a variety of different attack vectors leveraged by cybercriminals operating under the Magecart umbrella.
The Keeper Threat Group and the Increase in Magecart Attacks
Since its launch three years ago, the Keeper threat group has compromised more than 570 e-commerce websites, from small mom and pop online retailers to Apple product resellers. The Keeper group is one of the larger cybercriminal organizations operating under the Magecart umbrella. The organization consists of an interconnected network of 64 attacker domains and 73 exfiltration domains.
Gemini Advisory suggested that “Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark-web median price of $10 per compromised card-not-present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards.”
There are likely dozens of individual cybercrime organizations that can be labeled under the Magecart umbrella and that actively use unique methods to target hundreds and thousands of e-commerce sites annually. Another criminal organization under the Magecart umbrella for example is responsible for compromising a Volusion CMS, which infected over 6,000 e-commerce sites with payment card-stealing scripts for nearly a month around this time last year.
How Magecart Cyber Attacks Work
User form data sent and captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. Meaning your data is going to 10 different places on average when you fill out an online form.
In the British Airways attack hackers inserted malicious code into the airline’s baggage claim subdomain, which was likely far less secure than the main website. This code was referenced on the main website, which when run within the airline’s customers’ browsers, could skim credit card and other personal information.
Why is it so Difficult to Defend Against Magecart Attacks?
On average, it takes online merchants nearly 13 days to discover and remove the skimming scripts injected by Magecart. Reinfections typically occur within 11 days. The success since last year of these Magecart campaigns comes from a criminal’s ability to identify the weakest link of a web supply chain. They often infect third-party code from suppliers rather than directly infecting the target companies’ own code. Thus, attackers breach a small third-party company with lesser security and inject their malicious code into a script that is sourced to multiple other companies.
High-profile compromises including the Macy’s attack, as well as Ticketmaster, Forbes, and Amazon CloudFront have brought the threat of online card skimming to the list of major concerns for every online retailer.
There are several reasons for the success of Magecart: (1) There are fortunes to be made via card data theft as we suggested with Keeper (2) Compromising vendors or 3rd party partners that are unable to defend themselves adequately or uncover the attack is far easier than targeting an online retailer (3) There has been little threat of punishment or ramp up in law enforcement activity to stop the momentum of these attacks.
How to Defend Against Magecart Attacks
Magecart attacks are difficult for IT security teams to identify because they do not take place on the provider’s backend infrastructure, but instead within the purchaser’s browser. This means data is transferred directly from the browser to malicious servers. There is typically no interaction with the backend website server. Further, the average website relies on 31 third-party integrations, which provide nearly two-thirds of the content visitors view on their browsers. This content is delivered via client-side connections which often do not employ effective security controls.
In addition, user form data sent and captured on forms available on 98% of websites analyzed is exposed to 10 times more domains than intended by the website owner. Meaning your personal data is going to 10 different places on average when you fill out an online form.
As a result, auditing the backend infrastructure and code supporting website on a regular basis will not stop attacks, because the issue is happening in the user’s browser which traditional auditing won’t detect.
How to Defend Against Magecart Cyber Attacks
The following 7 Cyber Defense Tactics will Bolster Your Ability to Stop Magecart Attacks:
- Regularly patch and update software; disable, restrict, or secure outdated components or 3rd party code or plugins. Also, bolster credentials or authentication mechanisms across systems. IT security teams should proactively monitor their websites and client-side applications for signs of malicious activities such as unauthorized access and modification, data exfiltration, and the execution of unknown scripts.
- Magecart is increasingly taking advantage of suppliers in their attacks. Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These 3rd parties often integrate with thousands of websites, thus, when one supplier is compromised, Magecart has essentially breached thousands of sites at once. Review and revise your security policies to include more vigorous scrutiny of your 3rd party partners.
- Magecart will always be intrinsically connected to one program: Magento. Magento didn’t come into existence until 2007 but is now running on tens of thousands of sites, mainly due to Adobe’s acquisition of the platform. Magneto is often customized with code created for functionality, not security and many of the e-commerce stores that use Magneto do not patch regularly.
- Make sure your cyber insurance covers Magecart-style compromises.
- Review your endpoint protection provider and assess if they can identify and thwart Magecart and other third-party compromise attacks.
As we suggested in our previous blog post, SecureOps and other security organizations highlight the widespread vulnerabilities resulting from integrations that enable and enhance website functionality; typically, from 3rd party partners. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information. SecureOps helps organizations improve their vulnerability management programs, bolster defense through penetration testing, and provide incident response capabilities so that any attack is stopped immediately.
To Learn More About How to Defend Against Magecart Attacks or If You Have Been Attacked Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://secureops.com/contact-us/
August 3, 2020
June 23, 2020