Online shopping logo on mobile phone showing the broadening of supply chain attacks by Magecart cybercrime group
Magecart Supply Chain Attacks Gaining in Popularity and Intensity by Nicole Lindsey

Magecart Supply Chain Attacks Gaining in Popularity and Intensity

The cyber criminal group known as Magecart is back – this time with a series of supply chain attacks carried out against a wide range of websites that work with third-party advertising vendors. In January 2019, Trend Micro warned of the growing threat of new Magecart attacks delivered through a compromised advertising supply chain. At the time, Trend Micro was tracking nearly 300 e-commerce websites providing ticketing, touring and flight booking services that had been infected with Magecart malware. And now, the Magecart cyber criminals appear to be broadening their scope of supply chain attack to include any media or entertainment website – including, most prominently, Forbes magazine – that works with third-party advertising vendors.

The return of the Magecart hackers

Back in 2015, Magecart made global headlines with a series of high-profile attacks targeting the likes of British Airways, Ticketmaster and Newegg. Magecart became the name used by security researchers for a group of threat actors utilizing malicious supply chain attacks or application exploits that specifically targeted e-commerce website functionality. The focal point of attack was the shopping cart functionality of these websites, especially the part of the purchase experience where the customer inserted his or her payment information.

In the classic attack scenario, the Magecart cyber criminals inserted a bit of malicious script on these websites that essentially skimmed the credit card and payment data of anyone making a transaction on the website. This skimmer code collected a plethora of information – including payment card numbers, expiration dates, credit card CVV/CVC codes, names, addresses, phone numbers and email addresses – and then exfiltrated that information to a remote server controlled by the hackers.

Obviously, these Magecart attacks targeted big companies and huge online stores doing large amounts of e-commerce transactions, because the sole goal of these attacks featuring malicious skimming code was to collect as much payment card data as possible. Once the information was collected, hackers could then turn around and attempt to monetize this stolen credit card information on the Dark Web, or use this data to carry out identity theft and fraud.

The rise of the advertising supply chain attack

What’s different now, say security researchers such as Yonathan Klijnsma, Willem de Groot and Troy Mursch (of Bad Packets Report) is that the Magecart hackers have shifted their tactics to target the advertising supply chains of a much wider group of websites. They have discovered skimming scripts on thousands of websites, ranging from flight booking services to cosmetic, healthcare and apparel companies. This has led them to the conclusion that the Magecart groups may be carrying out a “shotgun” approach, hoping to attack as many sites as possible by going after small advertising vendors.

In this style of attack, the goal of the web-based supply chain attack is to compromise the vendors that supply code that adds or improves website functionality. For example, in the current round of Magecart supply chain attacks, the goal has been to place skimmers on web-based advertising suppliers such as AdMaxim, CloudCMS and Picreel. Then, since these supply chain vendors work with thousands of websites each, it significantly broadens the scope of attack possible for Magecart hackers.

Even though the term “supply chain attack” might seem to imply that only certain types of companies – such as manufacturing companies with large supply chains and a large number of logistics providers – are at risk, these supply chain attacks can be carried out against any company in any sector, as long as these companies rely on third-party vendors to supply part of their website code. In the case of Picreel, for example, the company is an analytics provider that helps companies record user behavior on a website in order to boost conversion rates. Website owners embed Picreel Javascript into their sites – so if Picreel has already been targeted by the Magecart hackers, it means that any customer of Picreel that uses the Picreel tracking is also going to be compromised.

The case of the Forbes magazine Magecart attack

To see how this works in practical terms, consider the case of the recent Magecart attack on the Forbes magazine subscription site. Troy Mursch of Bad Packets Report found Magecart script on the site that was surreptitiously collecting payment card data that Forbes readers were using to pay for their magazine subscriptions. On Twitter, Mursch posted a warning that the Forbes site might be infected with the Magecart malware and that Magecart groups might be significantly widening their scope of attack.

So how and why did the Magecart hackers get their malicious script placed on the Forbes magazine subscription site? The current theory is that the Magecart attack was part of a broader supply chain attack against media companies that work with advertising supply chain partners. In this case, Forbes is a customer of Picreel, so it’s highly likely that Picreel was the source of the malicious Javascript. Another possibility is that a company supplying icons and graphics to the Forbes site might have been the original source of the Magecart activity. The good news here is that Forbes is “fairly confident” that no one was impacted by the skimmers.

Future supply chain attacks to come?

The real concern in the security research community is that supply chain attacks are going to become more and more common, enabling hackers to attack a much wider range of websites than before. In other words, it’s not just the big e-commerce websites or the websites of huge travel and ticketing companies that do a significant amount of their business online at risk – it’s any website that engages in transactions online. Magecart code, for example, has been found on videogaming sites and news websites.

Magecart #malware found on Forbes magazine website which collect payment card data from subscribers.Click to Tweet

Given the number of third-party vendors that supply website services related to online advertising and customer tracking, it’s easy to see how Magecart hackers might start ramping up their supply chain attacks in order to compromise the entire online advertising ecosystem. That could be a nightmare scenario for websites and companies that once thought they were free and clear of any cyber attacks featuring Magecart malware.