Avishai Shafir, director of product management, PerimeterX
The Magecart group of digital skimming attacks gets its name from the Magento open-source ecommerce platform. Most of the online digital skimming attacks undertaken by so-called “Magecart gangs” target Magento, which has many older versions still in use to operate ecommerce applications.
But Magecart is now much bigger than Magento. In December 2020, researchers identified a new, more technologically advanced type of Magecart exploit. Designed like other Magecart attacks to skim credit card information from web applications, this one could attack many popular ecommerce platforms and content management systems (CMS). These include Magento, WordPress, Drupal, Shopify, BigCommerce, Salesforce Commerce Cloud and WooCommerce.
A skimming scourge for the digital age
The emergence of this versatile skimmer is one of a growing number of indicators that Magecart gangs are expanding their digital skimming efforts to a broader range of platforms. In May of 2021, for example, Magecart gangs were identified as the source of a new variation of digital skimmers called MobileInter targeting mobile browsers and mobile websites. MobileInter worked to identify mobile users across a wide variety of browsers.
This target expansion is a logical development. By increasing the attack surface, Magecart gangs are increasing their total addressable market. Equally important, we see Magecart skimmers become more platform agnostic and designed to work on any number of applications running the same frameworks and code languages—namely, PHP and JavaScript. For security teams and operators of web applications, protecting their digital storefront will mean adopting the lessons of Magecart risk mitigation to all ecommerce applications where sensitive customer financial information is collected.
Since emerging in 2015, Magecart has become a blanket description for a broad array of digital skimming attacks on web and mobile applications. Previously focused on point-of-sale (POS) terminals in which skimmers may have been physical or on hacks of the POS system, skimming shifted quickly to the internet and ecommerce platforms over the past five years. Today, most skimming of personal information and financial information happens on the web and mobile applications in card-not-present transactions.
This shift has made Magecart and digital skimming one of the most serious and financially damaging cybersecurity threats to ecommerce, financial services, travel and government sites. In a Magecart attack, malicious hackers inject a “skimmer”—an unauthorized piece of JavaScript code into checkout pages or other pages, which is where customers enter sensitive information. Some Magecart attacks inject modified forms or the entire pages, inserting additional fields to collect data not asked for on the legitimate forms. Skimmers can also target their attacks narrowly; there is a whole family of Magecart attacks that focus specifically on stealing data from cryptocurrency users. Magecart attacks use advanced obfuscation techniques to make it hard to see or understand the skimmer code.
Often, Magecart skimmers operate for months without the site operators or their security teams knowing about the hack. Because Magecart changes application behavior in subtle ways only on the client-side of the application, operators have no straightforward way to observe the often hard to detect modifications to what a user sees. Magecart attacks have successfully compromised thousands of web and mobile applications. Victims include dozens of global brands such as British Airways and Macy’s. The annual cost to online merchants and other operators of Magecart attacks is hard to calculate precisely because these attacks are counted with other financial attacks. The tally is well into the billions of dollars annually across losses, remediation costs, and reputational damage. For example, British Airways paid a $20 million fine for failing to protect its customers against a Magecart attack.
How Magecart is evolving beyond Magento
Magecart attacks injecting digital skimmers into web application code increased during the COVID-19 Pandemic and have remained at high levels ever since across a more comprehensive array of platforms. The expansion to additional platforms is not rocket science. WordPress, WooCommerce and Magento use PHP as their primary application code base. All of them use JavaScript, the language of the web, as their primary web client language for business logic. This concentration allows Magecart gangs to quickly modify an attack targeting one platform to function on another.
Magecart attackers have also recognized that plugins and third-party addons can provide efficient paths to compromising other platforms. Magecart gangs insert code into the source code repositories or build processes of the plugins for these attacks. Because plugins are usually barely modified from one ecommerce platform to another, Magecart attack code tends to work well on plugins across platforms. Known as a “supply chain attack,” this style of Magecart compromise is favored by more sophisticated gangs and is even more dangerous because it delivers its payload via trusted third parties. The site operators may not even have visibility into the compromised code; they can only identify the anomaly by spotting the changes customers are experiencing.
How to fight evolving attacks
For security teams and operators operating ecommerce stores online, that are not running on Magento, risks of skimming attacks by Magecart gangs are growing as the genre shifts to a broader spectrum of target platforms. Defending against these attacks requires a more comprehensive view of where Magecart exploits are likely to strike and what behaviors they are likely to undertake. With this shift to a broader array of targets and multi-platform Magecart code, attacks are more likely to focus on more universal attributes of all these platforms—such as plugins or shared fields or even favicons a popular vehicle for obfuscating and inserting unwanted JavaScript code. Alternatively, Magecart gangs will program in behavior that can recognize specific attributes such as payment forms or credit card requests. This makes Magecart more dangerous because it is more widespread.
More basic cybersecurity tools like web application firewalls (WAFs) do little or nothing to protect against Magecart attacks. WAFs protect against inbound (server-side) attacks but do not guard against client-side attacks. Some security teams run static scanning on their web application code to identify changes and anomalies. Magecart attacks evade this by inserting themselves into third-party code (like favicons) that is dynamically served. A more effective approach is to use content security policies (CSPs) to guard against business logic and prevent web application code from executing unwanted behaviors. CSPs require significant tuning and are not sufficient protection to protect against the compromise, for example, of a trusted domain that injects a skimmer into application code.
Furthermore, CSP can control traffic (inbound and outbound) with domain based on allow policy. This method is not relevant when the attack vector is an allowed domain (like google or other big software providers). Applying these restrictions will cause many failures in the site when developers forget to modify the CSP.
To properly guard against all types of Magecart attacks, security teams and site operators should look at solutions that continuously analyze application behavior (client-side security monitoring) to identify minor anomalies that may indicate the presence of a skimmer. Because all skimmers have the same goal, they tend to exhibit similar behavior. Using machine learning (ML) is an ideal tool to study skimming behaviors and legitimate web application behaviors at scale across billions of interactions.
Using these insights, ML technology can recognize common patterns of Magecart behaviors and recognize when an application is deviating, even slightly, from routine, expected behavior. By leveraging real-time behavior-based analysis of application behavior and comparing that to past behaviors, retailers can identify Magecart attacks in real-time and site operators notified of the issue. As Magecart evolves and expands its target list, knowing the enemy and countering them in real-time is the best defense against the threat, known and unknown.
PerimeterX provides security services for websites and mobile applications.
Favorite