An Insider's View - How To Use The Cyber Kill Chain to Defeat Magecart Data Theft

June 9, 2021 - Ensighten

Ensighten helps security, privacy, and compliance stakeholders ensure website customer data privacy and protection. Protecting customer data from cyberattacks is a crucial element of a web compliance and data privacy program.  This blog comes to you straight from our Threat Intelligence team and provides a unique "insiders" view into how cybercriminals behave, target, and operate. You'll also learn a framework based on Lockheed Martin's Cyber Kill Chain that can be employed to mitigate website data theft and web skimming risks.

  • Read on to get an insider's look at Magecart and website data theft operations, and practical insights and advice you can use to safeguard website customer data.
  • Understand the tools, techniques and procedures (TTPs) that a web skimmer attack uses.
  • Derive strategies to make your business more aware of its exposure points.
  • Learn about the state of hacking and stealing customer data from online storefronts and B2C websites.


The Cyber Kill Chain

Lockheed Martin initially developed the Cyber Kill Chain.  It is a model used to understand the phases that are likely to occur in an attack from start to finish.  Applying it to Magecart, you can identify the steps taken by an attacker from early reconnaissance to the exfiltration of personally identifiable information (PII).


[Download our 15-minute Guide to Web Skimming Protection]


Cyber Kill Chain: Reconnaissance

From an attacker's perspective, finding the vulnerable website or online storefront is their first mission. We have seen multiple Google dorks and Bing to identify potentially vulnerable OpenCart and Magento online stores.  Dorking is using smart search advanced operators offered by search engines.  For example, if we wanted to find web cameras, we might take some elements we know about a web camera we own to define a query that would only return results giving me that kind of web camera.  Such as, intitle:"Web Client" inurl:"webcamera.html".  We define that the web page title must be "Web Client" and that it must contain the URL "webcamera.html".   Using this technique, hackers can easily pinpoint sites of interest.

Mitigation and Discovery

In your web storefront logs (example below), you can often see where your traffic is being sourced.  

Cyber Kill Chain: Intrusion

After the attacker completes the reconnaissance phase, they take what they've learned, such as a listing of websites returned from a Google dork, and move to the intrusion phase.  In this phase, the attacker attempts to use known vulnerabilities to the suspected web applications and quickly test whether the vulnerability exists.  This testing can be done through simple scanning for software versions or deploying a weaponized payload. What the attacker hopes to gain here is knowledge that the vulnerability does exist.

We have seen Internet Relay Chat (IRC) bots that utilize previously compromised Linux machines, Bing and Google dorks, as well as weaponized payloads to automate the discovery of vulnerabilities in online stores and websites

Here's an example of a scan against a Magento website:

Mitigation and Discovery

Solutions vary based on your technology stack.  A common way to help prevent or detect this phase would be utilizing Apache ModSecurity and OWASP ModSecurity Core Rule Set.  Applying these can help prevent many false positive alerts and provides you the insight to know when you are potentially being targeted.  

Cyber Kill Chain: Exploitation

Now, let's say our attacker has identified the software you are running on your web server, detected a vulnerability in that software, and confirmed that the vulnerability exists.  The hacker then moves onto the Exploitation phase.  In this phase, the attacker uses a malicious payload against the software vulnerability to compromise the website.  The exploit may be gaining shell access to the server, gaining SQL server access, adjusting pricing within products on the server, modifying user accounts, or a number of other privileged access.

Ensighten's Threat Intelligence Team has uncovered 33 exploits for shopping cart solutions for vulnerabilities spanning just the past few years.  And, your shopping cart solution is only one item that a sophisticated hacker may target.  Attackers will look for PHPMyAdmin, custom PHP scripts, unprotected configuration files, and other open points of porosity that could lead to a compromise.

Here are samples of hacker tools found to help automate the discovery and exploitation of shopping cart solutions:

Mitigation and Discovery

Mitigating at this phase of an attack requires frequent software updates.  Discovery takes a few different routes, including log monitoring as found in OSSEC, file system monitoring using tools such as Tripwire, and NIDS solutions such as Snort.

Cyber Kill Chain: Privilege Escalation

We often find website developers have set insufficient file permissions, written custom exploitable web applications, lagged on software updates, and/or run software at privileges beyond their requirements.  Chaining a few of these exploits together, hackers can obtain higher privileges, though such privilege escalation is not always required within an attack.  

We have discovered Linux kernel vulnerability exploit packs being used by web skimmers. Below is an example of dirtyc0w (cve-2016-5195) that we found one to be using.

Mitigation and Discovery

Mitigation of this phase is difficult but possible.  An active system administrator maintains, updates, ensures file permissions, safeguards sensitive log files, and proactively applies solutions such as AppArmor to help slow or stop an attacker.

Discovery relies upon solutions such as Tripwire monitoring for file system changes, log monitoring, and firewalls.

Cyber Kill Chain: Lateral Movement

Lateral movement is where Magecart comes into play.  The attacker has in some way compromised the integrity of the content on the web server.  They will install JavaScript to steal credit card data and login credentials from the user's web browser.  The JavaScript will be programmed to exfiltrate the information to a remote location accessible to the hacker.  

Mitigation and Discovery

Mitigation can be accomplished through solutions such as CSP and SRI, however they are often time consuming, poorly implemented and very rigid in their implementation style.  All resulting in productivity and cost trade-offs that most businesses deem too much to bear.  You can find more information on the CSP/SRI approach in our recent client-side web security blog.  

Some mitigation strategies rely on telemetry and behavioral analytics.  This approach involves instrumentation, and analyzing and baselining web page behavior over a period of time.  Alerts are sent based on potential anomalies detected. While potentially effective, this approach leaves the door open to data theft, literally, until the attack is accurately detected, diagnosed, and mitigated, which on average takes months to do.

A very different approach, full disclosure - this is enabled by Ensighten, is to prioritize customer data protection above everything including attack detection and diagnosis.  Organizations use technologies like Ensighten to proactively define, control and monitor a boundary of domains within which website customer data can be shared.   Using this approach prevents data theft even when JavaScript code has been corrupted and set up to steal data.  Customer data is always safeguarded first, and then teams are notified of data theft attempts.  

Cyber Kill Chain: Obfuscation / Anti-Forensics

Obfuscated JavaScript is ubiquitous in Magecart attacks and highly problematic.  The goal of its creator is to prevent someone from looking at JavaScript and identifying it as malicious.  There are business use cases for obfuscation, however it's more commonly used for hiding malicious activity.  We are also now seeing malicious JavaScript being embedded in Cascading Style Sheets (CSS).  A clever trick to further obfuscate someone from being able to detect an attack.  

Mr. Sniffa, a SaaS solution for exploiting Magecart sold on the Dark web, has been observed using whitespace encoded binary to mask code. These whitespaces (see example below) are easily missed by anyone looking to identify corrupt code, and leads to attacks that are operational and go undetected for months:

Mitigation and Discovery

There are no clear solutions for detecting malicious JavaScript without serious caveats.  The primary reason -- false positives!  Discovery could include identifying new JavaScript within the HTML of your website. 

Obfuscation makes it very difficult to detect attacks and highlights the importance of safeguarding data from unauthorized endpoints proactively to prevent data theft while detection and action is taken to stop the attack and close the vulnerability.

Cyber Kill Chain: Denial of Service

We have not observed DDOS as a Magecart tactic.  It doesn't follow the modus operandi of an attacker trying to quietly steal sensitive data from a website. 

Mitigation and Discovery

Opensource solutions like ModEvasive can help thwart some of these attacks. Others require industrial-strength solutions such as NetScout.

Cyber Kill Chain: Exfiltration

Magecart has always strived to go undetected.  Exfiltration techniques include converting text to base64 and utilizing encryption such as SSL.

SaaS solutions exist to help the web skimmer in exfiltrating data.  Two notable solutions are Mr. Sniffa and InterSkimmer.  InterSkimmer is an out-of-the-box skimming tool that requires minimal technical expertise to use.  It even comes with dashboards and back-end storage. These tools dramatically lower the barrier to stand up a digital skimming, data exfiltration operation.

Mitigation and Discovery

The mitigation strategy needs to be centered around preventing data from being sent to unknown and unauthorized domains. As discussed in the Lateral Movement Cyber Kill Chain section above, many techniques can be employed, but the most effective defense is establishing a secure boundary of domains that are known and approved for data access.  And then putting in place the controls to monitor and ensure this data stays within set boundaries.


Let us know if you want to speak with an Ensighten Web Compliance and Privacy specialist.
Let's connect.  









Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

CCPA guide

Learn more about the key requirements of the legislation and how you can ensure both compliance and data loss prevention on your website

Read Now

Third-party JavaScript blog

Learn more about the risk of third-party JavaScript components and how to ensure protection against data leakage

Read Now

Online demo

See the Ensighten solution in action to learn how we can help ensure both compliance and data privacy

Book Now