What is Magecart? Understanding the Famous Supply Chain Attackers

We explain what is behind the surge in Magecart attacks, how the criminals are stealing your customers’ data and how you can prevent them

What is Magecart?

A more accurate question is who is Magecart? Magecart is a global consortium of at least seven (and expanding) separate cybercriminal groups that have been behind some of the most high-profile cyberattacks of the past few years.

Their goal is to steal the personal and financial data of customers purchasing goods online, which they continue to achieve with frightening success. In 2019, after just 2.5 hours of initial investigation, more than 80 compromised ecommerce sites globally were found actively sending credit card numbers to off-site servers under the control of the Magecart groups.

So, where did Magecart come from? Magecart, as we understand it today, grew out of a single group, which in 2014 started compromising vendor websites and injecting web skimmers. A new group emerged in 2016, with a different skimmer and infrastructure from the first group. Researchers believe both the evolution of skimmers and the multiplication of groups continue to this day.

The extent of the attacks has even triggered warnings from the likes of the FBI, as well as industry groups such as the PCI Security Standards Council and the Retail and Hospitality Information Security and Analysis Center (ISAC), which have urged online retailers to be on their guard against attacks.

Why are Magecart attacks increasing?

There are several reasons why Magecart attacks are on the rise. Firstly, there is a greater pool of victims to target than ever before. Nearly seven in ten Americans say they have purchased an item online, with 43 percent of US citizens saying they are regular online shoppers. That percentage is expected to rise to 91 percent in 2023.

It is also more difficult for criminals to target physical credit card transactions thanks to the move to more secure chip-based card infrastructure – therefore, they switch to ecommerce fraud, which is also becoming more lucrative.

Data stolen from bricks and mortar merchants with the help of malicious software or scammers is called ‘dump data’. In contrast, the security code (CVV) from a payment card often stolen from online retailers has typically been worth less than half the value of dump data. However, with it becoming more expensive for thieves to fabricate and successfully use dumps over the course of the last year, demand has caused security code prices to increase and more cybercriminals to focus on hacking ecommerce websites instead.

It is reported that a single piece of payment card information will fetch about $45 on the dark web. In addition, the dark web is not just a place to buy or sell stolen data; it also enables cyberattacks by making hacking tools easily and cheaply available to anyone with a laptop.

It is also important to recognize that website owners today outsource critical components of their code, such as shopping carts and card payment systems, to third parties. Websites make use of imported code libraries or, in some cases, link their app directly to third-party scripts hosted on the web. The code could be compiled from dozens of different sources – almost all of which are beyond the boundary of traditional internal IT security systems.

Which leads us to this final point: web security is still massively overlooked by many organizations. Despite 83 percent of global firms anticipating a potential data breach, two-thirds of executives are still not taking the necessary measures to protect their businesses. Only 34.5 percent say they have implemented policies related to client-side website security (where Magecart attacks occur), with the remaining 65.5 percent saying they do not yet have proper policies in place.

How do Magecart attacks work?

There are some differences as to how these groups operate: while some limit their victims to just a few high-value organizations, 2019 saw an increase in mass attacks designed to hit as many vendors as possible. The groups use a host of different tools and tactics, including several different code inject types, skimmers of varying sophistication and countless intrusion methods.

Many carry out a form of supply chain attack, targeting websites’ third-party vendors to gain the access they require to an organization’s web applications. Originally targeting online payment platform Magento, Magecart groups can now target almost any web environment, including dozens of other online shopping platforms used by stores around the world.

What all the attacks have in common is that they use digital skimming, or formjacking, to steal website visitors’ payment card information. F5 Labs’ Application Report 2019 discovered that the method was responsible for 71 percent of all analysed web-related data breaches throughout 2018 – with 49 percent occurring in the retail industry.

Additionally, the threat is persistent. One in five Magecart-infected stores are re-infected within days, according to a report by security researcher Willem de Groot

The report notes that:

• Magecart operatives often litter a hacked store with backdoors and rogue admin accounts
• Magecart operatives use reinfection mechanisms, such as database triggers and hidden periodic tasks, to reinstate their payload
• Magecart operatives use obfuscation techniques to make their presence indistinguishable from legitimate code
• Magecart operatives utilize unpublished security exploits (aka 0 days) to hack sites – exploits for which there are no patches

What is digital skimming and how does Magecart steal customer data?

Put simply, the Magecart hackers inject malicious JavaScript (JS) code that scrapes customers’ credit card details and other information as they enter them at the checkout in real time, known as web skimming or online skimming. As mentioned earlier, they can do this by exploiting vulnerable plugins to gain access and inject the code either directly or via a third party’s software library.

Supply chain targets of this type can include everything from third-party chatbots to software that performs web analytics or web management functions. One high-profile example was Ticketmaster, which suffered a Magecart attack after the group exploited an external third-party script from Inbenta; an online chatbot that provided support on Ticketmaster’s website. It was discovered that Magecart had used Inbenta to steal information from up to 40,000 customers, which included names, addresses, email addresses, telephone numbers, payment details and login details.

PCI compliance prevents customers from storing their three-digit credit card security code on a website’s servers, so criminals are focusing their efforts on the client side of the website to capture those details as they are entered. These types of attack are difficult to detect as they occur on the client-facing side of the website, so often a website is infected without the merchant or consumer being aware that the information has been compromised.

How is Magecart different from traditional online skimming?

Magecart is synonymous with digital skimming attacks. However, the group continues to evolve and expand its attack methods.

For example, researchers at Visa recently uncovered a new type of JavaScript skimmer that infected the online checkout pages on at least 17 ecommerce websites to steal payment card data. The skimmer, called ‘Pipka’, can remove itself from the HTML of a compromised payment website after it executes, enabling it to avoid security detection, according to the researchers.

Elsewhere, it was discovered that Magecart groups are compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once, with Magecart now making up 17 percent of all malicious advertisements.

2019 also saw Magecart adopt another attack method, compromising thousands of websites with its skimming code by scanning for misconfigured Amazon S3 buckets.

How likely is it that you will be exposed to a Magecart attack?

So prevalent are the Magecart attacks that one security company says it now detects a breach every five minutes.

As well as diversifying their attack methods, researchers have discovered evidence of Magecart’s reach spreading globally. They have found links between Magecart and a sophisticated cybercrime group called Cobalt, which reportedly targets financial institutions worldwide.

In addition, researchers from IBM have found evidence that another cybercrime group called FIN6, known for compromising physical point-of-sale systems of organizations from the retail, hospitality and restaurant sectors, has branched out into web-based card skimming.

It is also important to note that some of the most recognisable brands in the world were hit by Magecart attacks in 2019, including Macy’s, Puma, Forbes, The Guardian, Garmin, Sweaty Betty, The American Cancer Society and even the Sesame Street online store.

Already in 2020, Magecart is suspected of being behind an attack that targeted the payment data from a diverse range of websites, including ones selling Olympic tickets and emergency preparation kits. These attacks also show how the group is evolving its attack methods by swapping out skimming domains on compromised sites to avoid detection.

There have been dozens of reported Magecart attacks over the past 12 months. Here are just a handful of examples:

• Discount Mugs’ website was hacked when malicious code was injected onto the payments page, siphoning details to an external server
• Paris-based advertising company Adverline was hacked with malicious code, which then infected 227 websites. The malicious code delivered through Adverline’s ads performed a page URL check with keywords found on checkout pages
• Sportswear brand Fila UK had a skimmer on its site which could have affected up to 5,600 customers. The attack was undertaken by a JavaScript Sniffer group, who perform similar attacks to Magecart
• Amerisleep was targeted by Magecart several times in 2017, 2018 and again in January 2019
• Similarly, Umbro Brazil was hacked three times in October 2019
• French Boutique chain Cleor’s website was infected when code was injected alongside a legitimate Facebook tracking script
• The National Baseball Hall of Fame website experienced an infection of malicious Magecart script, which was active for six months
• Gun manufacturer Smith & Wesson’s website was compromised by a Magecart attack where the script was highly advanced and loaded a non-malicious or malicious script depending on whether the customer fit their target customer

The groups behind the attacks 

Magecart is a bit of a newcomer to the card skimming community, having been recognized as a problematic trend in 2017. Over this short amount of time though, Magecart groups have been hard at work growing their influence. From 2017 through 2019, a Magecart group known as Group 8 a.k.a. “Keeper” was involved in the theft of customer data from some 570 websites, stealing nearly 700,000 customer records from the affected websites and exfiltrating the records across 73 exfiltration servers.  

Late 2019 and into 2020 saw the beginning of a new era of explosive growth and development for web skimming attacks. As the COVID-19 pandemic raged around the world, shutting down brick and mortar businesses and pushing millions to work at home, Magecart groups were hard at work refining their tools.  

Those working from home began directing more of their shopping towards online alternatives offered by their favorite retailers, and Magecart saw the opportunity to strike. Claire’s, a popular jewelry and accessories store, closed the doors of their retail locations as the pandemic began to proliferate and a month later, their online services were stricken with a Magecart attack.  

The group behind this attack is known as Hidden Cobra, though more may recognize them by their more commonly associated name Lazarus Group – the nation-state sponsored hacking group of North Korea. Beginning in April through June of 2020, the North Korean hackers had broken into the website, left a malicious skimming script embedded in the site’s code and began collecting the exfiltrated customer information from their malicious domain.  

These two groups are hard hitting, but they are just a few in a sea of many. The number of established Magecart groups continues to increase as the interest in the attack platform from nation-state actors grows. Recent discoveries in the dark markets show that some of the more recent players in the Magecart world are selling their tools for a fairly trivial investment, enticing new hackers to enter into the arena and take up the practice of  online skimming.  

Each one of the Magecart groups utilizes a different methodology and employs different tools in their arsenal and, as time moves on, the tools become more refined and complex, and as a result are becoming more difficult to spot after an infection has already taken place. 

How organizations can prevent Magecart attacks

Cybercriminals like Magecart operate by stealth by making small changes to source code. It is therefore essential you are vigilant and aware of what code is running on your website, so you can prevent any damage before it is done. This includes having full visibility of all third-party technologies and potential vulnerabilities.

This point is highlighted by the average time between infection and detection; the Ticketmaster Magecart attack remained under the radar for five months and supply chain attacks such as the one on Amerisleep and MyPillow took two months to be discovered.

With Magecart targeting the client side of a website, you need a solution, like Ensighten MarSec™, that detects when any malicious code is injected into a web page in real time and blocks the attack altogether.

It is also impractical for a modern website to avoid using third-party code, so you should identify what is running on your website, their value – and their risk – and assume a strong position of control over them. This includes allowing and blocking third-party vendors, and blocking unknown and unwanted website trackers, technologies and tags to prevent them from firing on site and collecting data.

Magecart shows no signs of slowing down – in fact, the opposite. Talk to Ensighten about how you can protect your customers’ data and your business from the increasing threat of attack.