The cyber criminal group known as Magecart is back – this time with a series of supply chain attacks carried out against a wide range of websites that work with third-party advertising vendors. In January 2019, Trend Micro warned of the growing threat of new Magecart attacks delivered through a compromised advertising supply chain. At the time, Trend Micro was tracking nearly 300 e-commerce websites providing ticketing, touring and flight booking services that had been infected with Magecart malware. And now, the Magecart cyber criminals appear to be broadening their scope of supply chain attack to include any media or entertainment website – including, most prominently, Forbes magazine – that works with third-party advertising vendors.
The return of the Magecart hackers
Back in 2015, Magecart made global headlines with a series of high-profile attacks targeting the likes of British Airways, Ticketmaster and Newegg. Magecart became the name used by security researchers for a group of threat actors utilizing malicious supply chain attacks or application exploits that specifically targeted e-commerce website functionality. The focal point of attack was the shopping cart functionality of these websites, especially the part of the purchase experience where the customer inserted his or her payment information.
In the classic attack scenario, the Magecart cyber criminals inserted a bit of malicious script on these websites that essentially skimmed the credit card and payment data of anyone making a transaction on the website. This skimmer code collected a plethora of information – including payment card numbers, expiration dates, credit card CVV/CVC codes, names, addresses, phone numbers and email addresses – and then exfiltrated that information to a remote server controlled by the hackers.
Obviously, these Magecart attacks targeted big companies and huge online stores doing large amounts of e-commerce transactions, because the sole goal of these attacks featuring malicious skimming code was to collect as much payment card data as possible. Once the information was collected, hackers could then turn around and attempt to monetize this stolen credit card information on the Dark Web, or use this data to carry out identity theft and fraud.
The rise of the advertising supply chain attack
What’s different now, say security researchers such as Yonathan Klijnsma, Willem de Groot and Troy Mursch (of Bad Packets Report) is that the Magecart hackers have shifted their tactics to target the advertising supply chains of a much wider group of websites. They have discovered skimming scripts on thousands of websites, ranging from flight booking services to cosmetic, healthcare and apparel companies. This has led them to the conclusion that the Magecart groups may be carrying out a “shotgun” approach, hoping to attack as many sites as possible by going after small advertising vendors.
In this style of attack, the goal of the web-based supply chain attack is to compromise the vendors that supply code that adds or improves website functionality. For example, in the current round of Magecart supply chain attacks, the goal has been to place skimmers on web-based advertising suppliers such as AdMaxim, CloudCMS and Picreel. Then, since these supply chain vendors work with thousands of websites each, it significantly broadens the scope of attack possible for Magecart hackers.
The case of the Forbes magazine Magecart attack
To see how this works in practical terms, consider the case of the recent Magecart attack on the Forbes magazine subscription site. Troy Mursch of Bad Packets Report found Magecart script on the site that was surreptitiously collecting payment card data that Forbes readers were using to pay for their magazine subscriptions. On Twitter, Mursch posted a warning that the Forbes site might be infected with the Magecart malware and that Magecart groups might be significantly widening their scope of attack.
Future supply chain attacks to come?
The real concern in the security research community is that supply chain attacks are going to become more and more common, enabling hackers to attack a much wider range of websites than before. In other words, it’s not just the big e-commerce websites or the websites of huge travel and ticketing companies that do a significant amount of their business online at risk – it’s any website that engages in transactions online. Magecart code, for example, has been found on videogaming sites and news websites.
Given the number of third-party vendors that supply website services related to online advertising and customer tracking, it’s easy to see how Magecart hackers might start ramping up their supply chain attacks in order to compromise the entire online advertising ecosystem. That could be a nightmare scenario for websites and companies that once thought they were free and clear of any cyber attacks featuring Magecart malware.