Magecart Skimming Attacks

Magecart is a form of data skimming, which attacks using the client-side browser as the front-door for consumer interactions. “Skimming” is a method used by attackers to capture sensitive information from online payment forms, such as email addresses, passwords, and credit card numbers. For Magecart specifically, hackers implant malicious code into websites in order to steal credit card information as people enter credentials on the checkout page. Data skimming attacks like Magecart typically follow a well-established pattern.

These latest attack in the long string of Margecart breaches has apparently affected over 900 e-commerce sites in under 24 hours. This increase over the previous attack, which affected 700 sites, suggests that its authors are working on improving the automation of these information-stealing attacks. The results of these types of attacks can be seen in the latest major fines being issued under GDPR, including one to Marriott for $123 million and another to British Airways for a whopping $230.5 million.

How does Work Magecart Skimming Attack

All these hacks usually follow a well-established pattern. The first step is for hackers to gain access to an online store’s backend.

Initial Magecart attacks targeted Magento stores. Hackers used automated scanners to search the Internet for Magento stores and used vulnerabilities in the Magento CMS or its plugins to gain an initial foothold on infected systems.

Hackers would then modify the site’s source code, making the hacked site load a piece of JavaScript code that would watch the payment form on checkout pages for new data entered by users.

The malicious script –which initially received the name of Magecart malware– would collect all data entered by a user inside these forms and later send it to a remote server under the attacker’s control.

Data skimming attacks like Magecart typically follow a well-established pattern. They must achieve three things to be successful:

Step 1: Gain access to your website

There are typically two ways that attackers gain access to your website and place skimming code. They can either break into your infrastructure or your server and place the skimmer there. Or, they will go after one of your third-party vendors (especially if they are an easier target) and infect a third-party tag that will run a malicious script on your site when it is called in the browser.

Step 2: Skim sensitive information from a form

There are lots of different ways that groups can capture data, but skimming code is always some sort of JavaScript that is listening for personal information and collecting it.

Here are three common ways skimming occurs on a website:

  • Keylogging: Listening for all possible key-down events and then filters out everything except the keystrokes they want to capture (i.e. a 12-digit number followed by a date code).
  • Sniffing form submissions: Listening for a click on a submit button or form submission event and then requesting all of the fields on the form.
  • Form jacking: Swapping out a field in a real form with an infected field that sends the information to a bad source, or rendering a fake version of a form on top of the real form.

All three of these skimming scripts do the same thing, whether it’s infecting first-party or third-party code. They basically ask the browser to share what consumers are typing into a page or a form. And once that JavaScript is loaded, it has access to all the same resources and all the same information as your first-party JavaScript.

Generally, attackers will hide malicious code inside other code that looks benign to avoid detection.

Step 3: Send information back to their server

This is the simplest part of the whole process. Once hackers have gained access to your website and scraped the data they want—it’s game over.

Here are dozens of different cyber-criminal groups that use this style of attack. Attackers can send information to themselves in a variety of ways: POST, GET, or image requests that are being sent to proxies’ domains that are disguised as legitimate sounding domains. For example, when Newegg suffered a Magecart attack, the stolen information was being sent to a registered domain www.neweggstats.com, which blended in with the primary domain of the site.

There is no silver bullet in preventing web-skimming attacks, but there are still measures that can be taken to mitigate the risks.

Mitigation for Magecart Skimming Attack

Merchants (server-side)

Operating an e-commerce website comes with certain responsibilities, especially if payment information is handled through it. It is usually safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. PCI compliance and risks associated with collecting data can be overwhelming, especially for site owners that would rather focus on the business side of things.

There are too many aspects of website security to cover here in how to keep your own site from getting hacked, so instead, we will focus on a third-party compromise scenario.

Third-party resource integrity checking is one security aspect that has been overlooked but can provide great benefits when loading external content. The reality is that a website usually cannot host all the content itself, and it makes more sense to rely on CDNs and other providers for speed and cost reasons.

This relationship does not necessarily mean having to weather the issues experienced by a third party. While in this post we have focused on credit card stealers, there are a number of other threats that can be disseminated via third-party libraries. For this reason, implementing safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help to mitigate many issues.

Consumers (Client-side)

One thing to keep in mind as consumers is that we are largely placing our trust in the online stores where we are shopping. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones.

Using browser plugins such as NoScript can prevent JavaScript loading from untrusted sites and therefore reduces the surface of attack. However, it has the same shortcomings when malicious code is embedded in already trusted resources.

Magecart and other web skimmers can be mitigated at the exfiltration layer, by blocking connections to known domains and IPs used by the attackers. It is not full-proof, though, considering how trivial it is to register new properties. But infrastructure reuse is something we still see quite often.

Leave a Comment

Your email address will not be published. Required fields are marked *

three + thirteen =