Avishai Shafir, Director Product Management, PerimeterX
The Magecart group of digital skimming attacks takes its name from the open source e-commerce platform Magento. Most of the digital skimming attacks on the Internet by so-called “Magecart gangs†target Magento, of which many older versions are still in use for the operation of e-commerce applications.
But Magecart is now much bigger than Magento. In December 2020, researchers identified a new, more technologically advanced type of Magecart exploit. Developed like other Magecart attacks to extract credit card information from web applications, this attack could attack many popular e-commerce platforms and content management systems (CMS). These include Magento, WordPress, Drupal, Shopify, BigCommerce, Salesforce Commerce Cloud, and WooCommerce.
An over-flying scourge for the digital age
The advent of this versatile skimmer is one of increasing signs that Magecart gangs are expanding their digital skimming efforts to a wider range of platforms. For example, in May 2021, Magecart gangs were identified as the source of a new twist on digital skimmers called MobileInter, which target mobile browsers and mobile websites. MobileInter worked to identify mobile users in a wide variety of browsers.
This expansion of the goal is a logical development. By increasing the attack surface, the Magecart gangs expand their entire addressable market. Equally important, Magecart skimmers are becoming more and more platform independent and designed for any number of applications that run the same frameworks and code languages ​​- namely PHP and JavaScript. For security teams and web application operators, protecting their digital storefront means applying Magecart’s risk mitigation insights to any e-commerce application that collects sensitive financial information from customers.
Since its inception in 2015, Magecart has become a comprehensive descriptor for a wide range of digital skimming attacks on web and mobile applications. It used to focus on point of sale (POS) terminals where skimmers might be physical or on POS system hacks, and it has rapidly shifted to internet and e-commerce platforms over the past five years. Today, most of the skimming of personal and financial information on the web and in mobile applications occurs in cardless transactions.
This shift has made Magecart and digital skimming one of the most serious and financially damaging cybersecurity threats to e-commerce, financial services, travel, and government sites. In a Magecart attack, malicious hackers inject a “skimmer†– unauthorized JavaScript code into checkout pages or other pages where customers enter sensitive information. Some Magecart attacks inject modified forms or the entire page and insert additional fields to collect data that is not requested in the legitimate forms. Skimmers can also target their attacks closely; There is a whole family of Magecart attacks that are specifically focused on stealing data from cryptocurrency users. Magecart attacks use advanced obfuscation techniques to make the skimmer code difficult to see or understand.
Magecart skimmers often work for months without the site operators or their security teams knowing about the hack. Because Magecart only changes application behavior in subtle ways on the client side of the application, operators have no direct way of observing the often difficult-to-see changes in what a user sees. Magecart attacks have successfully compromised thousands of web and mobile applications. The victims include dozens of global brands such as British Airways and Macy’s. The annual cost to online retailers and other operators of Magecart attacks is difficult to accurately calculate as these attacks are counted with other financial attacks. The balance goes into billions every year, including losses, renovation costs and damage to reputation. For example, British Airways paid a $ 20 million fine for failing to protect its customers from a Magecart attack.
How Magecart is evolving beyond Magento
Magecart attacks that inject digital skimmers into web application code took place during the Covid-19 pandemic and have since stayed high across a wider range of platforms. The expansion to additional platforms is not rocket science. WordPress, WooCommerce, and Magento use PHP as their primary application code base. All use JavaScript, the language of the web, as the primary web client language for business logic. This concentration allows Magecart gangs to quickly modify an attack targeting one platform so that it works on another.
Magecart attackers have also recognized that third-party plugins and add-ons can provide efficient ways to compromise other platforms. Magecart gangs add code to the source code repositories or set up processes for the plugins for these attacks. Since plugins are usually rarely modified from one e-commerce platform to another, Magecart attack code usually works well on plugins across platforms. This type of Magecart compromise, known as a “supply chain attack,†is preferred by more sophisticated gangs and is even more dangerous as it delivers their payload through trusted third parties. The site operators may not even have insight into the compromised code; The only way to identify the anomaly is by seeing the changes that customers are experiencing.
How to fight evolving attacks
For security teams and operators running online ecommerce stores that don’t run on Magento, the risk of skimming attacks from Magecart gangs grows as the genre shifts to a wider range of target platforms. Preventing these attacks requires a deeper understanding of where Magecart exploits are likely to attack and the behaviors they are likely to engage in. With this shift towards a wider range of targets and cross-platform Magecart code, attacks tend to focus on more universal attributes of all of those platforms – like plugins or shared fields or even favicons – a popular means of obfuscating and inserting unwanted JavaScript code. Alternatively, Magecart gangs program a behavior that can recognize certain attributes such as payment forms or credit card inquiries. This makes Magecart more dangerous as it is more common.
More basic cybersecurity tools like web application firewalls (WAFs) provide little or no protection from Magecart attacks. WAFs protect against inbound (server-side) attacks, but not against client-side attacks. Some security teams run static scans on their web application code to identify changes and anomalies. Magecart attacks get around this by inserting themselves into third-party code (such as favicons) that is dynamically provisioned. A more effective approach is to use content security policies (CSPs) to protect yourself from business logic and prevent web application code from engaging in undesirable behavior. CSPs require significant optimization and do not provide sufficient protection, for example, to protect against the compromise of a trusted domain that inserts a skimmer into the application code.
In addition, CSP can control the traffic (inbound and outbound) with a domain based on an allow policy. This method is not relevant if the attack vector is a valid domain (like Google or other large software providers). Applying these restrictions will result in a lot of errors on the site when developers forget to change the CSP.
To adequately protect themselves against all types of Magecart attacks, security teams and site operators should look for solutions that continuously analyze application behavior (client-side security monitoring) to identify minor anomalies that may indicate the presence of a skimmer. Since all skimmers have the same goal, they tend to behave similarly. Using machine learning (ML) is an ideal tool to study the skimming behavior and legitimate behavior of web applications on a scale across billions of interactions.
With these insights, ML technology can identify general Magecart behavior patterns and detect when an application deviates even slightly from expected routine behavior. By leveraging real-time behavioral analysis of application behavior and comparing it to past behavior, retailers can detect Magecart attacks in real time and alert site owners of the problem. As Magecart continues to evolve and expand its target list, the best defense against known and unknown threats is to know the enemy and fight them in real time.
PerimeterX provides security services for websites and mobile applications.
