Ecommerce Sites Warned of Magecart Threat

Earlier this month, the PCI Security Standards Council joined forces with the Retail and Hospitality Information Security and Analysis Center (ISAC) to warn companies of the growing threat of online skimming attacks, such as those perpetrated by the prolific cybercriminal group, Magecart.

So prevalent are the Magecart attacks now that security company RiskIQ says it detects a breach every five minutes.

“These attacks infect ecommerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers and are very difficult to detect. Once a website is infected, payment card information is ‘skimmed’ during a transaction without the merchant or consumer being aware that the information has been compromised,” said the two authorities in a statement.

The hackers use various methods, including exploiting vulnerable plugins, to gain access and inject malicious code either directly into ecommerce websites or often into a third party’s software library.

These types of supply chain attacks have become more common, and account for some of the biggest data breaches to date, including Ticketmaster and Newegg in 2018. In fact, 61 percent of US companies have experienced a data breach caused by one of their vendors or third parties.

Vulnerable third-party applications and services include advertising scripts, live chat functions and customer rating features. Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites. These third-party functions are typically used by multiple ecommerce sites; the compromise of one of these functions can allow an attacker to target many websites at the same time through mass distribution of the malicious JavaScript.

In its briefing, the two associations said that any ecommerce implementation that does not have effective client-side security controls in place is potentially vulnerable: “Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets and exploiting vulnerabilities in unpatched website software,” they warned.

Additionally, the threat is persistent. One in five Magecart-infected stores are re-infected within days, according to a report by security researcher Willem de Groot.

The research noted:

• Magecart operatives often litter a hacked store with backdoors and rogue admin accounts
• Magecart operatives use reinfection mechanisms such as database triggers and hidden periodic tasks to reinstate their payload
• Magecart operatives use obfuscation techniques to make their presence indistinguishable from legitimate code
• Magecart operatives utilize unpublished security exploits (aka 0 days) to hack sites, exploits for which there are no patches

Securing your website

 “Securing of third-party infrastructure and restricting access and permissions of third-party scripts to only trusted sources is also essential,” says the alert. “Organizations should perform due diligence on third-party service providers and use only trusted software vendors. Choose software vendors that build security into their software products and provide ongoing support for security updates throughout the software lifecycle. Service providers should be committed to providing secure services that do not introduce risk to their customers’ ecommerce environments.”

As part of your commitment to securing your website, it is important you have full visibility of your third-party technologies to control the data they collect and share to prevent data leakage.

The Ensighten’s MarSec™ solution provides the following to prevent unauthorized data collection:

• Allow and block: Define permissions for approved third-party vendors you choose to allow to access data or block from receiving any of specific types of data
• Reporting: Comprehensive reporting of site traffic and real-time user activity to identify any suspicious patterns or network requests
• Auditing of new scripts: Real-time view of all the technologies running on your website and full privacy risk assessment as web pages are loaded
• Stops injection-based attacks: Cryptojacking and formjacking blocking by allowing control over third-party JavaScript, which is given permission to operate within the user’s browser

The Magecart attacks show no sign of slowing down. Speak to Ensighten about how our portfolio of website security solutions will enable you to manage all your third-party vendor technologies and prevent unauthorized data skimming attacks.