Simon Roe, product manager at Outpost24, outlines the dangers of Magecart over the coming years.
The criminal group Magecart has caused mass disruption with their payment skimming attacks which has led to more than 2 million websites and online shopping systems being compromised.
One of their most notable attacks was against British Airways in 2018 with the theft of payment data of nearly 400,000 customers via the BA app and website. Hell bent on causing more havoc, the criminal syndicate has continued to utilise their payment card attacks on other leading brands and will inevitably continue to be a threat going forward.
Danger has been brewing since the 2000s
The Magecart name has grown in stature amongst the cyber security fraternity, more so in light of the recent credit card attacks that plagued businesses throughout 2018 and 2019. The syndicate, which is thought to encompass over 10 smaller cybercrime groups, seems to have a passion for harnessing consumer credit card data online.
Yet, their attack methods were only first noticed in April 2000 when a backdoor was discovered within the shopping cart software called cart32 which was stealing credit card information from customers using various e-commerce sites.
Since then, the successful nature in which Magecart conducts its attacks has no doubt contributed to the recent trend of targeting e-commerce websites and has resulted in many splinter groups to follow suit. While the web-skimming methods may have changed slightly over the years, the objective has stayed the same: steal as much data from payment forms and checkout pages.
Web-skimming and the targeting of online stores is viewed as a highly lucrative revenue source for cybercriminals, and naturally, this has bred specialist developers that create skimming ‘kits’ to be sold online. This is very much in the same vain as the Ransomware-as-a-service kits that have flooded the dark web.
Indeed, this problem will only get worse as more vendors begin to conduct business online and, with security widely viewed as an afterthought, the number of outdated systems that can be exploited due to unpatched vulnerabilities will only lead to an increase in attacks.
Another point to take into consideration is knowing which businesses are most likely to be targeted. If you look at some of the higher profile Magecart attacks, you will notice international brands like Amazon, high-street fashion retailer Macy’s and online ticket distributer Ticketmaster have been targeted.
While this may lead one to believe that only well-known enterprises and retailers will be targeted; in reality nothing could be further from the truth as cybercriminals do not discriminate. As such, it must be understood that if your website has the capabilities to store, utilise or harness credit card information you can almost guarantee your site will be a target.
Being protected against Magecart
Protecting a website is far from easy due to its complexity. For example, there is the issue of cross-site script inclusion (XSSI) which means browsers don’t prevent webpages from including resources like images and scripts, that are hosted on other domains and servers.
This means a website that has a heavy dependence on such scripts could pose a risk as malicious code could be lying dormant within the XSSI without the host knowing. Only once an unsuspecting victim begins interacting with the page will the malicious code activate, and the payment card information become harvested.
When it comes to best practices to defend against attacks from actors such as Magecart, it’s imperative that organisations have an application security solution implemented. This should involve continuous 24/7 monitoring and testing against both known and new vulnerabilities, especially for vendors that host their own e-commerce stores.
It is strongly advised to scan and block against the top 10 WASC and OWASP vulnerabilities whether they be XPath injection, XML injection or cross-site scripting.
If any of these are identified, then the application security solution can detect in real time to enable remediation as soon as possible. Likewise, the scanning procedures should also extend to the CVE catalogue which includes vulnerabilities within the frameworks and any misconfigurations within the server.
If your website is hosted through a third-party, it is vital to carry out any due diligence to ensure the necessary security measures are being taken. This is why a level of trust is required between the host and customer. Furthermore, e-commerce sites hosted through the cloud are just as vulnerable to these threats, so be mindful of the security implemented by the cloud provider.
In essence, many of the attacks conducted by Magecart were successful because they preyed on outdated e-commerce stores, meaning the victims were either using a basic security solution and were not designated application security or, Magecart were able to leverage custom web app vulnerabilities.
Thankfully, all of these threats can be mitigated by implementing an agile web application solution that can continuously assess and protect against flaws in apps and websites that are critical for both business operations but also customers satisfaction.