80 and Counting: eCommerce Sites Infected by Magecart

Web applications are a common target of hackers since they are exposed to the Internet yet have access to valuable internal data. Protecting these systems against hackers requires knowledge of common attacks like those included on the OWASP top 10 as well as more recent innovations.

One hacking group that has been making headlines recently for their attacks on web applications is Magecart. The Magecart group has managed to steal large amounts of customer payment card information by exploiting vulnerable web payment gateways. Since their attacks have been growing in frequency and scale, and show no signs of stopping, it is important for organizations to understand how Magecart works, how to detect them, and how to protect their systems and their customers from attack.

What is Magecart?

Like most hacking groups, Magecart has a certain speciality, but Magecart makes so many headlines because their attacks are often highly successful and easily detectable if you know where to look.

Magecart’s speciality is in digital card skimmers. Unlike the physical device that some criminals use to steal the information of credit cards used in a point of sale system, Magecart’s systems are all software. A piece of malicious script inserted into the payment page of a website sends all of the credit card information to the hacker as well as the retailer.

This works by using a technique called formjacking. When a visitor to the site hits submit on a payment, it kicks off a series of events designed to send the payment card information to the retailer. Magecart’s malicious code hooks into this and sends a copy of the payment card information to the hacker as well.

Unlike many data breaches that target databases and other well-protected systems, Magecart steals payment information from one consumer at a time through the browser. While this technique is slower, it’s often subtler as well since they’re attacking on the consumer’s side instead of the retailer’s. While the malicious code used in the skimmer is plain to see if you know to look for it, many sites have failed to do so, making Magecart a highly successful hacking group.

The Spreading Magecart Threat

Magecart has a history of successful, high-profile data breaches. Big name targets have included Ticketmaster and British Airways. In fact, the British Airways breach became especially famous since it caused the UK’s GDPR enforcement agency to levy a record-breaking $230 million fine against the airline. This fine was greater than all fines levied in the first year of GDPR enforcement put together.

More recently, Magecart hit headlines for a large-scale attack against users of the Magento eCommerce platform. Investigations revealed that 80 retailers who were using an outdated version of the platform were being actively targeted by Magecart. Vulnerabilities in the platform allowed the malicious code to be uploaded to the eCommerce sites and steal customers’ information from payment platforms.

How Magecart Gets In

The Magecart groups attacks are so effective partially because the tactics are so simple. The code necessary to perform a formjacking attack is short and easy to write. The main challenge is placing the malicious code on the target site. This can be accomplished in a variety of ways. One option is through exploitation of cross-site scripting (XSS) vulnerabilities – XSS attacks are specifically designed to embed malicious code on a target system. While this is a well-known attack vector, these vulnerabilities are still very common on production sites.

In the case of the hack of the 80 Magento users, Magecart exploited a vulnerability in how the outdated version of Magento handled Vimeo videos added to the site. The site was designed to pull a preview image from a URL, check that it was valid, and, if so, embed it on the site. However, if the target file was not valid, the code still downloaded it to the web server. Magecart took advantage of this by using it to pull their malicious script files and save them on the web server to serve to victims.

Magecart is also known for taking advantage of the digital advertising infrastructure to spread their malicious scripts through malvertising. Digital advertisers are accustomed to taking third-party scripts and embedding them on legitimate sites. By sneaking skimmer code past their scanners, Magecart can take advantage of digital advertisers to place their malicious scripts on a variety of different sites.

Protecting Against Magecart

Magecart attacks rely upon the attacker’s ability to insert and execute malicious scripts on legitimate websites without detection. Magecart only steals a single piece of sensitive information at a time, so detection has a much more significant impact than other breaches where responding after the theft is already “too late”.

Protecting against Magecart attacks requires detection of the malicious scripts either during the initial insertion or when they are actively stealing sensitive information. For an organization, insertion time is the better time since this is when Magecart is actively interacting with the organization’s systems.

Many techniques for inserting malicious code into a website take advantage of vulnerabilities like cross-site scripting. Protecting against these attacks requires an intelligent web application firewall (WAF), which is capable of identifying and blocking these exploits. Choosing a leading WAF is a good idea since it may be capable of detecting anomalous activity on a web server – that’s right – like loading a malicious script added by an attacker.

About Mark Westall

Mark Westall is the Founder and Editor of FAD magazine, ' A curation of the world’s most interesting culture' [PLUS] Art of Conversation: A tri-annual 'no news paper'