Why Online Shopping Carts Aren't Safe

November 3, 2020 - Ensighten

Due to the prevailing COVID-19 situation around the world, online shopping has experienced a boost. As of April 2020, there has been 129 percent year-on-year growth reported for US and Canadian ecommerce. While online shopping is convenient, it is also the “safest” option due to the contactless delivery option. 

Since shoppers are spending more time online, it also raises questions about the security of these platforms. While the preference for online shopping was rising regardless, it was not as popular as it is now, showing that online retailers have more traffic on their platforms than before. As more customer data is being shared on these platforms, it exposes customers and businesses to cyberattacks. Shopping carts are a key path to administering attacks on websites: from adding items to buy to building up a “wish list” and making payment, shopping carts hold a wealth of information, making them attractive targets for hackers and scammers. 

 

The risk of third-party libraries  

Ecommerce websites use vital third-party integrations for everything from securing payments, to implementing shopping cart and payment functionality. But using these third-party technologies also exposes businesses to more vulnerabilities, which need to be mitigated and managed to stop Magecart and web skimming attacks.  

Using third-party libraries has been on the OWASP Top 10 vulnerabilities list for the past seven years under ‘A9:2017-Using Components with Known Vulnerabilities’. A preventive measure that one can take is to continuously monitor the versions of both client-side and server-side components and their dependencies using tools like ‘retire.js’ (as seen in the below image). ‘retire.js’ will show you the known vulnerabilities of the versions currently installed and mitigation steps and is the key to keeping your third-party applications secure on both client and server side. The below screenshot is that of our test site. It is worth remembering that this will only monitor, rather than actively prevent any web skimming or client-side website attacks.

code-1

Shopping cart attacks explained 

Shopping carts facilitate every purchase. Once a customer adds products to a shopping cart, they are taken to the payment gateway system for online payments – this page can be exploited and is the catalyst for credit card frauds. Online skimming exploits, such as Magecart attacks, are heavily dependent on third-party libraries such as shopping carts and payment gateways. The term “Magecart” is used to refer to a collusion of hackers who actively exploit shopping cart systems. A popular attack since 2014, Magecart attacks were known to cause an upheaval of established payment platforms in 2019. 

While small scale online stores act as a good target for Magecart attacks due to the absence of safeguards on these platforms, larger well-known brands are more at risk than ever before due to the large wealth of data and greater returns on the dark web and their usage of multiple third-party code. We have created a test site to be able to show these attacks in our lab environment – the below web page is that of our test site to give you a running example. 

Hackers follow a three-step process while carrying out web skimming attacks on online shopping carts. In this example, we are using ‘phpskimmer’ – this is how we did it: 

code-1

 

1. Placing skimming code 

Hackers administer their attacks by gaining access to the target website. Once they gain root access to these sites, they place their skimming code.  

In this example, we created a test site where we had fake customer data and order information being inputted through a bot every 12 seconds for a 24-hour time period. We exploited it through a public CVE from an unpatched version of a third-party library that helps shoppers identify the cheapest shipping vendor based on the size of the order. 

webpage-2 

2. Skimming information from forms 

Once the skimming code is placed on the site, it intercepts inputs onto specific parts of web forms like card number and CVV – this is usually done on shopping cart pages because it holds this information. Attackers disguise the malicious code with code that looks legitimate. 

In this example, we used a web skimmer based on PHP, which holds it inside of a daemon and waits to exfiltrate every day at a certain time we designated.  code-2

 

3. Reports information back to server 

Once they start receiving the information from their code, they disperse it across the internet. This reduces the likelihood of getting detected by the site’s servers.  

Once all the data is collected, it is exported into a PNG file which holds all the information that was skimmed using ‘phpskimmer’. Exporting it in a PNG file helps bypass audit methods, when the PNG file is seen as corrupted then ignored. The second image is that of the encrypted data hidden inside the PNG file. 

code-3

To help mitigate the risk associated to shopping carts and other third-party technologies, try and follow these simple rules: when using components such as libraries or software modules, make sure they are kept up to date with the most recent changes. Ensure that the third-party integrations on your ecommerce website are configured properly – misconfigurations are one of the top reasons that ecommerce websites get compromised. Lastly, another key reason ecommerce sites are compromised is down to their lack of visibility over third-party code and technologies – it is imperative that you are aware of what is running on your website and where data is being shared.  

By adding a single line of code, Ensighten delivers a security layer that enables you to control what third parties are running on your site and prevent code from sending data to unauthorized network locations unless you have specifically enabled one to do so, thus preventing exploitation of your third-party website technologies. You can learn more about the risks associated to third-party libraries and how to protect against these attacks here.