What Is Magecart?
The name “Magecart” refers to several hacker groups that employ online skimming techniques for the purpose of stealing personal data from websites—most commonly, customer details and credit card information on websites that accept online payments. Magecart groups have successfully breached well-known brands. The name is inspired by the original target of these groups—the Magento platform, which provides checkout and shopping cart functionality for retailer sites.
Impact of Magecart Attacks
Here are several potential impacts of Magecart attacks:
- Theft of personal information—while the primary target of Magecart attacks is credit card information, attackers can also steal personal information. This can potentially affect millions of shoppers.
- Revenue loss—a small to medium-sized eCommerce retailer previously breached by Magecart may see a significant decrease in online sales. This is because customers may lose trust in the retailer’s ability to prevent another breach.
- Further infection—if a Magecart group exfiltrates user login and administrator credentials, they can potentially expand the attack to infect additional sites. For example, during the VisionDirect.co.uk breach, a Magecart group infected not only the main site but also the retail site of seven other European countries.
- Legal and compliance damages—a Magecart attack exposes a company to lawsuits by affected customers, legal penalties if the company is subject to regulations like GDPR, and industry penalties such as a PCI DSS audit and inability to process credit cards.
Examples of Magecart Victims
Here are some notable examples of organizations that have been targeted by Magecart groups.
Magento
Magecart initially targeted Magento—a third-party shopping software. The name Magecart is a combination of “shopping cart” and “Magento” and to this day Magento and other eCommerce software providers like OpenCart are primarily targeted by Magecart groups.
British Airways
British Airways made public that its website, as well as a mobile application, had been breached. Threat actors managed to steal the payment information of 380,000 British Airways customers.
According to RiskIQ, the breach was conducted by Magecart. The threat actors were able to directly compromise British Airways’ website by exploiting its unique functionality and structure.
Magecart attackers copied JavaScript payment forms from British Airways’ website and then modified the form to make it send the payment information to a server controlled by the actors. To avoid detection, the actors ensured the forms continued to work as intended in end-user browsers.
Additionally, the actors knew that the mobile application of British Airways also used similar to that used in the web application. This means that by breaching the website, the actors could also gain access to the mobile application. Many of the 380,000 victims were in fact, mobile application users.
Amazon S3 Buckets
RiskIQ revealed that the Magecart group had compromised many more third-party web suppliers than was previously reported. In fact, it was found that these actors had actually automated the process of compromising websites with skimmers. They achieved this by proactively scanning for misconfigured Amazon S3 buckets, and then they compromised a significant amount of S3 buckets that impacted more than 17,000 domains—many of these websites even appear in the top 2,000 of Alexa rankings.
Hanna Anderson
In 2020, American children’s apparel maker and online retailer Hanna Andersson revealed that its eCommerce online purchasing platform was hacked, and malicious code was injected to steal customers’ payment information for almost two months.
As often happens with Magecart attacks, this attack went unnoticed until the stolen credit cards surfaced on the dark web. As a result of the breach, Hanna Andersson agreed to pay $400K in California Consumer Privacy Act (CCPA) related breach lawsuit. Per the settlement, over 200,000 US-based customers who made purchases from the Hanna Andersson web store from Sept. 16 to Nov. 11, 2019, are eligible to receive compensation in the agreement.
How Do Magecart Attacks Work?
Each Magecart group may operate in a different manner. Previous attacks used different patterns, including:
- Targeting primarily a small number of high-value organizations.
- Mass attacks built especially to attack as many vendors as possible.
- Using several different types of code injects and skimmers, alongside other intrusion methods and a host of additional tactics and tools.
- Carrying out supply chain attacks that target third-party vendors that can provide access to several web applications.
- Targeting eCommerce platforms.
While each group may choose different targets and tactics, most of them use formjacking, or digital skimming, in order to steal the payment card information of website visitors.
Recent research has shown that formjacking is responsible for almost 3/4 of web-related data breaches, with half of them affecting the retail industry.
Another important aspect of the attacks is that the Magecart threat is persistent. Security researchers discovered that one out of five eCommerce stores that were previously infected by Magecart are re-infected in a matter of days. Magecart operatives often:
- Fill hacked stores with many backdoors, including rogue admin accounts.
- Leverage a variety of reinfection mechanisms, including hidden periodic tasks and database triggers, which enable them to reinstate their payload.
- Employ obfuscation techniques, which help make their presence indistinguishable from legitimate code.
- Use zero-day security exploits, which have no patches, in order to hack sites.
Magecart Attack Mitigation
What Can Merchants Do to Prevent Magecart Attacks?
To reduce the risk of Magecart and other types of client-side attacks, take the following steps:
- Identify third-party JavaScript – prepare an inventory of all third-party JavaScript code on your website.
- Ask third-party vendors to audit their code – to ensure it is their original code and does not contain any malicious instructions or malware.
- Switch from third-party to first-party services – whenever possible, prefer to run software on your own servers and not use third-party services. This can prove to be a challenge, as most storefronts today are heavily reliant on third-party vendors.
- Implement HTTP Content-Security-Policy headers – provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks.
Today, there are dedicated solutions that handle client-side protection and help prevent Magecart attacks.
What Can Consumers Do to Protect Themselves?
Consumers place their trust in eCommerce websites while shopping online. While eCommerce merchants are responsible for securing their site, there are measures that can be taken by each individual consumer. Consumers should consider applying these security measures:
- Avoid entering personal information on websites they do not trust.
- Use a service like privacy.com to generate single-use credit cards.
- Verify the domain URL to ensure it is not a fake domain with a similar name created by attackers.
- Use browser plugins to prevent JavaScript loading from untrusted sites. This can help reduce the surface of attack. Note that this technique cannot protect against malicious code that is already embedded in trusted sites.
- Block connections to IP addresses and domains known to be used by attackers. This can be set up by administrators on corporate or managed devices.
Imperva Magecart Prevention
Imperva Client-Side Protection provides security teams with visibility into JavaScript services executing on your website at any given moment. It automatically scans for existing and newly added services, eliminating the risk of them being a blind spot for security.
Imperva handles the difficult part of Content-Security-Policy for your organization, making it a viable part of mitigation. The domain risk score adds a credibility rating for each service, making it easier for security to determine the nature of each service, and determine whether it should be allowed to run or not.
Simplified actions let you allow approved domains while blocking unapproved ones. Client-Side Protection ensures your customers’ sensitive information doesn’t end up being transferred to unauthorized locations and that no fraudsters are exploiting your visitors.
Beyond Magecart prevention, Imperva provides comprehensive protection for applications, APIs, and microservices:
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
