Magecart attacks have been making news since about 2016, when the loose confederation of online credit card skimmers began running rampant in stores using the Magento shopping cart system. The Magecart groups have since expanded their scope and graduated to some of the world’s biggest companies, hitting British Airways and Ticketmaster among others in 2018.
This confederacy of skimmers shows no signs of slowing down. Research conducted by Malwarebytes Labs shows a sharp increase in Magecart attacks over the summer, and last month the PCI Security Standards Council (PCI SSC) and the Retail & Hospitality ISAC (RH-ISAC) issued a joint statement advising online merchants of the threat.
How Magecart attacks work
The term “Magecart” is comparable to something like “Anonymous” or “Antifa” in that it is not one large cohesive group, but rather a label and set of tactics used to describe independent smaller groups that don’t necessarily associate with each other. Security researchers estimate there are at least 12 major persistent threat groups that make Magecart attacks their primary stock-in-trade, along with an uncountable number of more minor copycats.
All of the Magecart groups have a laser focus on stealing payment information. These groups look for exploits in common ecommerce software, then deploy them against multiple targets to insert themselves into the payment stream. Credit card numbers and account details are quietly siphoned off in a process known as “formjacking.” The hackers are usually capturing customer information in real time as it is entered into web forms for payment.
Their primary commercial activity is selling “fullz” on the black market. These are accounts for which the hacking group has captured all of the card information needed to make purchases online: CVC number, expiration date and billing address in addition to the account number. Some groups have used the numbers themselves to purchase merchandise, often conning desperate job seekers into acting as drop shippers in the belief they are doing a legitimate work-at-home job.
While the attacks have focused on lucrative payment information to date, there is nothing stopping Magecart groups from skimming anything else that is entered into a form on a website, such as login and password information. At least one group was found to have been skimming admin login credentials in one of their attacks.
Though they are all referred to as Magecart, the groups do not appear to be working in tandem. In fact, some have been seen taking active measures against the code of others when they breach the same system. Collectively, Magecart attacks are thought to have compromised at least 50,000 companies worldwide.
The Magecart groups have shown a consistent preference for larger enterprise-scale companies throughout their history, no doubt due to the volume of payment card transactions they process.
The more recent rash of attacks has targeted smaller companies, but those that tend to be in the higher end of retail such as luxury fashion brands and motorsports companies. This appears to represent a shift in focus from collecting large quantities of card numbers to focusing in on those with higher credit limits, most likely by targeting retailers that feel they are too small to receive special attention from hackers and are not keeping up to date with cybersecurity and patching.
Magento was the first prime target for the Magecart groups, and it remains one of their favorites for gathering illicit card data. Many online stores are still running versions of Magento that are from as far back as 2010, and have known vulnerabilities that hackers can exploit.
Securing against Magecart
The main reason Magecart attacks happen is that so many commerce websites are not updated and not patched regularly, some of them sitting for the better part of a decade in this vulnerable state. Automated tools comb through the internet looking for outdated versions of software with known exploits that companies may not have patched. It is vital for anyone doing business online to have the latest version of their ecommerce software and to install regular security updates as soon as possible.
Other security measures that should ideally be in place include an alert system that notifies IT when someone attempts to alter any code on the website, and implementing a Subresource Integrity (SRI) solution to check that third-party files loaded as part of the checkout process have not been modified. This latter element is particularly important as Deepak Patel, security evangelist at web security company PerimeterX, points out:
“Magecart attacks will continue for a long time. The modern web application stack relies on third-party scripts hosted from providers who lack stringent security enforcement. Website owners lack visibility into the third-party scripts running on the users’ browsers within the context of their site. In many cases, website owners are also unaware of all the first-party scripts running on their site. In this particular case, Magecart attackers leveraged an older version of Magento, but it could very well be a chat service provider, like in the case of Delta Airlines.
“For the website users, it is impossible to discern if the website is compromised by Magecart attacks. The website users see the secure padlock next to the URL on the browser address bar and feel assured.
“The first step for website owners should be to get visibility and control of all the scripts whether first-party or third-party or any part of the supply chain.”
Ultimately, however, the main thing is to keep ecommerce solutions patched and updated. These Magecart skimming campaigns tend to focus on the lowest-hanging fruit, using automated tools to hit upon sites that are using outdated software and are vulnerable. If your site is hardened with the latest security patches, your chances of receiving their special attention go down considerably.