Woman using mobile for online shopping showing the recent increase in Magecart attacks hitting high-end retailers
Magecart Attacks Alive and Well as Recent Wave Hits High-End Retailers by Scott Ikeda

Magecart Attacks Alive and Well as Recent Wave Hits High-End Retailers

Magecart attacks have been making news since about 2016, when the loose confederation of online credit card skimmers began running rampant in stores using the Magento shopping cart system. The Magecart groups have since expanded their scope and graduated to some of the world’s biggest companies, hitting British Airways and Ticketmaster among others in 2018.

This confederacy of skimmers shows no signs of slowing down. Research conducted by Malwarebytes Labs shows a sharp increase in Magecart attacks over the summer, and last month the PCI Security Standards Council (PCI SSC) and the Retail & Hospitality ISAC (RH-ISAC) issued a joint statement advising online merchants of the threat.

How Magecart attacks work

The term “Magecart” is comparable to something like “Anonymous” or “Antifa” in that it is not one large cohesive group, but rather a label and set of tactics used to describe independent smaller groups that don’t necessarily associate with each other. Security researchers estimate there are at least 12 major persistent threat groups that make Magecart attacks their primary stock-in-trade, along with an uncountable number of more minor copycats.

All of the Magecart groups have a laser focus on stealing payment information. These groups look for exploits in common ecommerce software, then deploy them against multiple targets to insert themselves into the payment stream. Credit card numbers and account details are quietly siphoned off in a process known as “formjacking.” The hackers are usually capturing customer information in real time as it is entered into web forms for payment.

Their primary commercial activity is selling “fullz” on the black market. These are accounts for which the hacking group has captured all of the card information needed to make purchases online: CVC number, expiration date and billing address in addition to the account number. Some groups have used the numbers themselves to purchase merchandise, often conning desperate job seekers into acting as drop shippers in the belief they are doing a legitimate work-at-home job.

While the attacks have focused on lucrative payment information to date, there is nothing stopping Magecart groups from skimming anything else that is entered into a form on a website, such as login and password information. At least one group was found to have been skimming admin login credentials in one of their attacks.

Though they are all referred to as Magecart, the groups do not appear to be working in tandem. In fact, some have been seen taking active measures against the code of others when they breach the same system. Collectively, Magecart attacks are thought to have compromised at least 50,000 companies worldwide.

Recent attacks

The Magecart groups have shown a consistent preference for larger enterprise-scale companies throughout their history, no doubt due to the volume of payment card transactions they process.

The more recent rash of attacks has targeted smaller companies, but those that tend to be in the higher end of retail such as luxury fashion brands and motorsports companies. This appears to represent a shift in focus from collecting large quantities of card numbers to focusing in on those with higher credit limits, most likely by targeting retailers that feel they are too small to receive special attention from hackers and are not keeping up to date with cybersecurity and patching.

Magento was the first prime target for the Magecart groups, and it remains one of their favorites for gathering illicit card data. Many online stores are still running versions of Magento that are from as far back as 2010, and have known vulnerabilities that hackers can exploit.

The Magecart attacks peaked in July, with 962 sites hit in one day in the largest automated campaign to date and 17,000 domains infected over the course of the month by way of misconfigured Amazon S3 buckets.

Attackers are able to infect large numbers of sites at once with “spray and pray” attacks, scanning for vulnerable Amazon S3 buckets using automated tools that can slip malicious JavaScript in without the site or its customers noticing. Some of the attack groups are using advanced techniques such as registering domain names that are similar to the target to help evade scrutiny.

Securing against Magecart

The main reason Magecart attacks happen is that so many commerce websites are not updated and not patched regularly, some of them sitting for the better part of a decade in this vulnerable state. Automated tools comb through the internet looking for outdated versions of software with known exploits that companies may not have patched. It is vital for anyone doing business online to have the latest version of their ecommerce software and to install regular security updates as soon as possible.

One basic security capability that these online shopping sites often lack is code obfuscation. If the JavaScript and HTML code the site runs on is not obfuscated, hackers can read it directly and make use of automated tools to insert the malicious skimming code needed to re-route payment traffic to their servers. Obfuscated code will shut down the vast majority of automated attacks.

Other security measures that should ideally be in place include an alert system that notifies IT when someone attempts to alter any code on the website, and implementing a Subresource Integrity (SRI) solution to check that third-party files loaded as part of the checkout process have not been modified. This latter element is particularly important as Deepak Patel, security evangelist at web security company PerimeterX, points out:

“Magecart attacks will continue for a long time. The modern web application stack relies on third-party scripts hosted from providers who lack stringent security enforcement. Website owners lack visibility into the third-party scripts running on the users’ browsers within the context of their site. In many cases, website owners are also unaware of all the first-party scripts running on their site. In this particular case, Magecart attackers leveraged an older version of Magento, but it could very well be a chat service provider, like in the case of Delta Airlines.

“For the website users, it is impossible to discern if the website is compromised by Magecart attacks. The website users see the secure padlock next to the URL on the browser address bar and feel assured.

“The first step for website owners should be to get visibility and control of all the scripts whether first-party or third-party or any part of the supply chain.”

PCI SSC and RH-ISAC issued joint statement warning online merchants of sharp increase in Magecart #cyberattacks. #respectdataClick to Tweet

Ultimately, however, the main thing is to keep ecommerce solutions patched and updated. These Magecart skimming campaigns tend to focus on the lowest-hanging fruit, using automated tools to hit upon sites that are using outdated software and are vulnerable. If your site is hardened with the latest security patches, your chances of receiving their special attention go down considerably.