The Magecart group of digital skimming attacks gets its name from the Magento open-source ecommerce platform. Most of the online digital skimming attacks undertaken by so-called “Magecart gangs” target Magento, which has many older versions still in use to operate ecommerce applications.
But Magecart is now much bigger than Magento. In December 2020, researchers identified a new, more technologically advanced type of Magecart exploit. Designed like other Magecart attacks to skim credit card information from web applications, this one could attack many popular ecommerce platforms and content management systems (CMS). These include Magento, WordPress, Drupal, Shopify, BigCommerce, Salesforce Commerce Cloud and WooCommerce.
A skimming scourge for the digital age
The emergence of this versatile skimmer is one of a growing number of indicators that Magecart gangs are expanding their digital skimming efforts to a broader range of platforms. In May of 2021, for example, Magecart gangs were identified as the source of a new variation of digital skimmers called MobileInter targeting mobile browsers and mobile websites. MobileInter worked to identify mobile users across a wide variety of browsers.
Since emerging in 2015, Magecart has become a blanket description for a broad array of digital skimming attacks on web and mobile applications. Previously focused on point-of-sale (POS) terminals in which skimmers may have been physical or on hacks of the POS system, skimming shifted quickly to the internet and ecommerce platforms over the past five years. Today, most skimming of personal information and financial information happens on the web and mobile applications in card-not-present transactions.
Often, Magecart skimmers operate for months without the site operators or their security teams knowing about the hack. Because Magecart changes application behavior in subtle ways only on the client-side of the application, operators have no straightforward way to observe the often hard to detect modifications to what a user sees. Magecart attacks have successfully compromised thousands of web and mobile applications. Victims include dozens of global brands such as British Airways and Macy’s. The annual cost to online merchants and other operators of Magecart attacks is hard to calculate precisely because these attacks are counted with other financial attacks. The tally is well into the billions of dollars annually across losses, remediation costs, and reputational damage. For example, British Airways paid a $20 million fine for failing to protect its customers against a Magecart attack.
How Magecart is evolving beyond Magento
Magecart attackers have also recognized that plugins and third-party addons can provide efficient paths to compromising other platforms. Magecart gangs insert code into the source code repositories or build processes of the plugins for these attacks. Because plugins are usually barely modified from one ecommerce platform to another, Magecart attack code tends to work well on plugins across platforms. Known as a “supply chain attack,” this style of Magecart compromise is favored by more sophisticated gangs and is even more dangerous because it delivers its payload via trusted third parties. The site operators may not even have visibility into the compromised code; they can only identify the anomaly by spotting the changes customers are experiencing.
How to fight evolving attacks
More basic cybersecurity tools like web application firewalls (WAFs) do little or nothing to protect against Magecart attacks. WAFs protect against inbound (server-side) attacks but do not guard against client-side attacks. Some security teams run static scanning on their web application code to identify changes and anomalies. Magecart attacks evade this by inserting themselves into third-party code (like favicons) that is dynamically served. A more effective approach is to use content security policies (CSPs) to guard against business logic and prevent web application code from executing unwanted behaviors. CSPs require significant tuning and are not sufficient protection to protect against the compromise, for example, of a trusted domain that injects a skimmer into application code.
Furthermore, CSP can control traffic (inbound and outbound) with domain based on allow policy. This method is not relevant when the attack vector is an allowed domain (like google or other big software providers). Applying these restrictions will cause many failures in the site when developers forget to modify the CSP.
To properly guard against all types of Magecart attacks, security teams and site operators should look at solutions that continuously analyze application behavior (client-side security monitoring) to identify minor anomalies that may indicate the presence of a skimmer. Because all skimmers have the same goal, they tend to exhibit similar behavior. Using machine learning (ML) is an ideal tool to study skimming behaviors and legitimate web application behaviors at scale across billions of interactions.
Using these insights, ML technology can recognize common patterns of Magecart behaviors and recognize when an application is deviating, even slightly, from routine, expected behavior. By leveraging real-time behavior-based analysis of application behavior and comparing that to past behaviors, retailers can identify Magecart attacks in real-time and site operators notified of the issue. As Magecart evolves and expands its target list, knowing the enemy and countering them in real-time is the best defense against the threat, known and unknown.
PerimeterX provides security services for websites and mobile applications.