Magecart attack: What it is, how it works, and how to prevent it

Learn how to combat this web-based card skimming attack.

Understanding the supply chain of stolen data Terbium chief research officer Munish Walther-Puri explains how hacked data moves from your personal accounts to the Dark Web.



 
Every day we hear about some new threat or vulnerability in technology, and the data harvesting attack known as "Magecart" is the latest threat. I discussed this threat with Peter Blum, vice president of technology at app delivery provider Instart.

Magecart attack: Defined

 
Scott Matteson: What is a Magecart attack?

Peter Blum: Magecart is a form of data skimming, which attacks using the client-side browser as the front-door for consumer interactions. "Skimming" is a method used by attackers to capture sensitive information from online payment forms, such as email addresses, passwords, and credit card numbers. For Magecart specifically, hackers implant malicious code into websites in order to steal credit card information as people enter credentials on the checkout page.

SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)

Scott Matteson: How does it work?

Peter Blum: Data skimming attacks like Magecart typically follow a well-established pattern. They must achieve three things to be successful.

  • Step 1: Gain access to your website

There are typically two ways attackers gain access to your website and place skimming code. They can either break into your infrastructure or your server and place the skimmer there. Or, they will go after one of your third-party vendors, especially if they are an easier target and infect a third-party tag that will run a malicious script on your site when it is called in the browser.

  • Step 2: Skim sensitive information from a form

There are a lot of different ways that groups can capture data, but the skimming code is always some sort of JavaScript that listens for personal information and collects it. We have seen an approach where they monitor all the keypresses on a sensitive page or some that intercept input into specific parts of a webform like the credit card and CVV fields. Generally, attackers will hide malicious code inside other code that looks benign to avoid detection.

  • Step 3: Send information back to their server

This is the simplest part of the whole process. Once hackers gain access to your website and scrape the data they want—it's game over. They can send the information from the end users browsers to almost any location on the internet.

Responsible party

Scott Matteson: Who is behind this?

Peter Blum: Magecart is the name given to this category of attacks—its not a specific organization or entity. There are dozens of different cyber criminal groups that use this style of attack. In the last year high profile attacks occurred against companies like British Airways, Ticketmaster, and NewEgg.

Scott Matteson:  What vulnerabilities/environments does it prey upon?

Peter Blum: Today, it's not uncommon for a single website to be made up of code that is created and operated by as many as 50 different companies. Code that is developed in-house and runs on your own website is called first-party code. Code that comes from other companies are called third-, fourth-, or even fifth-party code.  

Many customers are unaware that when you integrate code from other companies it actually has the same level of privilege as your own code. That means this outside code can display messages to your users, exfiltrate sensitive data entered by users or stored in cookies, or even redirect the user to another site.

At Instart, we are seeing more and more websites where as many as 75% of calls made by the browser are from sources other than your company. So, how do you really know what's going on when websites rely on code from 50 different cloud services, hosted by 50 different organizations? This is the trap that many retailers have fallen into, and Magecart attackers prey on. A vulnerability anywhere is a vulnerability everywhere.

The good news is that you can protect sensitive information. The key is that all of this code only comes together when it is assembled in the consumer's browser. So you need to deploy technology that can monitor and protect sensitive data in real-time in the browser.
 
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Address the threat

Scott Matteson:  What should IT departments do to address this threat?

Peter Blum: The issue with Magecart is that there's a lot of confusion when it comes to actually protecting these web-based card skimming attacks. For example, auditing a website on a regular basis cannot stop attacks, as the problem comes from third-party tags, which auditing won't detect.
 
My advice for IT teams is to take a zero-trust approach with JavaScript on their sites, starting with a policy to block access by default to any sensitive information entered in web forms and stored cookies. From there, you only allow a select set of vetted scripts (usually only your own) to access sensitive data. And as a result, if this type of skimming code does get on your site, it simply can't access any of the sensitive information.

Unfortunately web browsers don't provide this type of functionality, so IT teams need to either implement their own protection approaches or bring in technology from outside vendors that specialize in protecting against these types of attacks.

Scott Matteson: What should end users do to address this threat?

Peter Blum: Many consumers put trust in the online stores and sites they shop at. It's best to avoid smaller websites that most likely don't have the same level of security as larger, more established organizations. End users should ensure that they keep tabs on charges to their credit cards. Many times small test charges will be made to ensure a credit card number is still active before more widespread fraud. End users should also consider using payment systems like Apple Pay that generate unique numbers of each transaction ensuring that if attackers get a number they can't re-use it in the future. And finally, these days credit monitoring systems have become a must-have to ensure that personal data is not being leveraged to open new accounts in your name.

Scott Matteson:  How is this threat likely to evolve?

Peter Blum: We have seen even over the last year this type of attack become more common and evolve at an alarming pace. While the initial approaches were easier to detect, cyber criminals now hide their malicious code through encoding and obfuscation deep within harmless code, which makes it almost impossible to reveal these attacks looking at third-party code. And we now see hackers encode stolen information before its sent off the browser to evade pattern detection systems that look for credit card numbers. The best approach is to take a zero-trust model and only allow very specific vetted code to access sensitive information.
 
SEE: 10 dangerous app vulnerabilities to watch out for (TechRepublic download)

Scott Matteson:  What are some recommended proactive steps to take to manage evolving Magecart attacks?

Peter Blum: The best defense against Magecart attacks is preventing access. Online companies need a solution that intercepts all of the API calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.

We continue to see a big uptick in attacks against websites that take and process payment information from end users. Not only are we seeing Magecart-style attacks like this steal information directly from end users, but also sophisticated bot attacks that leverage stolen user credentials and credit card numbers to commit fraud using data found on other sites.
 
It's critical that brands think beyond the edge and deploy end-to-end web security protection that can mitigate Magecart attacks in the browser and protect backend infrastructure, while also stopping sophisticated botnet attacks. With the massive increase in third-party services being used, we also see legitimate third-parties accidentally capturing sensitive user information, which can expose companies to breach of industry and convernment regulations including PCI, HIPPA, GDPR, and CCPA.

Also see

Internet crime and electronic banking security

Image: Getty Images/iStockphoto