If you shop online often, you should know about Magecart Attackers. How they compromise shopping sitez and learn your payment details when you checkout!
E-commerce is growing at an unprecedented rate all over the world, with a tremendous increase in online buyers every year. Some notorious cybercrimes accompany e-commerce’s sprawl across the globe. These attackers, with malicious intentions, hijack the payment portals of e-commerce websites, gathering payment credentials of buyers. One such infamous syndicate of cyber attackers, targeting e-commerce, is Magecart (or Magekart).
Magecart is an umbrella association of skilled individuals and threat groups which use the same modus operandi. The group first came into recognition in 2016 and has been prolific since then. They mainly target e-commerce websites either directly or via vulnerable third-party services by injecting a malicious scheming JavaScript code on the payment portals. Then they allegedly steal credit card and payment information of thousands of web visitors. Magneto-a third-party shopping software- is the primary target for these attackers; inspiring the infamous name, Mage-cart, that is, “Magneto” and “shopping cart”. Magecart is also often considered as a particular type of attack which uses specific tactics like supply chain attack and digital skimming.
Supply Chain Attack and Digital Skimming
Supply Chain attack, also called value-chain or third-party attack, is a technique to compromise a system through an outside software or utility which already has access to the target system. These external platforms usually include services which are integrated with a website to improve functionality. The most vulnerable ones are targetted. In the case of Magecart attacks, the most targetted third-party services to hijack shopping websites have been Magneto and Opencart. When a single service vendor is compromised, Magecart gets access to thousands of sites at once!
Digital skimming, also known as online card skimming or simply, web skimming, is the malicious practise of acquiring credit card or payment data of web visitors. ATMs and shopping malls have seen physical skimming, with the use of webcams and installing devices to obtain credit/debit card details stealthily. Web skimmers do the same thing using advanced digital tools and malicious scripts to hijack payment webpages, and present their payment page or similar form to unsuspecting users. Formjacking is the term used for hackers who use proxy payment pages on the web servers to steal PII(Personal Identifiable Information). Digital skimming is the signature technique used by Magecart attackers to tamper with checkout pages on online shopping websites.
Executing both techniques together, Magecart attackers gather credentials.
The Magecart Attack
Magecart Attackers learn about vulnerabilities in the third-party platforms and tamper with the client-side code. They also exploit vulnerabilities in open source libraries. After, compromising the website, attackers inject a JavaScript code into the payment portal pages to “skim” payment credentials of buyers. Magecart attackers also obfuscate the injected skimmer code inside good code and geofence the target website to a country or region to stay under the radar.
The injected code captures the information entered by the buyer with credit card number and pin. This information is transmitted to the attacker’s server. And these cybercriminals are free to go shopping with the buyer’s account details!
In 2018, a Magecart skimmer code compromised multiple websites every hour! This earned them a spot on the list of “The Most Dangerous People On The Internet In 2018”.
Magecart attacks since its inception
Magecart executes the most preeminent digital skimming attacks. And no Magecart hacker has been caught till date!
In 2018, with a well-crafted supply chain attack on British Airways: the largest airline in the UK, Magecart victimized more than 380,000 customers. The skimming code injected was just 22 lines of JavaScript!
22 lines of JavaScript affecting 308,000 customers
By crawling into individual scripts in the British Airways website, and identifying and scrapping down the modified skimmer JavaScript code, the system security was restored.
The tampered script in the British Airways site
Clean version of the compromised scriptTimestamp when skimming began
Magecart is a familiar adversary for e-commerce giants since its inception. The RiskIQ research states Magecart has hit at least 6400 sites. Digital skimming is the new normal for them.
Mitigation and Prevention Methods
Content Security Policy(CSP) and Sub Resource Integrity(SRI) are some web technologies used to protect web visitors, as they restrict where scripts are loaded from, and maintain integrity.
Owners with limited resources can use free online website scanners which can spot suspicious scripts.
Usually, a single website contains codes from different sources, posing a potential supply chain breach. It is better to have a zero-trust approach with JavaScript on sites. And building a policy to block access to any sensitive information, allowing selected, vetted scripts to access sensitive data. If the skimming code enters the site, it won’t obtain the credentials/sensitive data.
In the wake of COVID-19, when brick-and-mortar outlets are closed for shoppers, online shopping has ramped up. Many e-commerce websites witnessed system breaches and information theft of millions of buyers during this time. So it is always better to avoid smaller and less known shopping sites as these are seen to be more vulnerable for information theft.
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.
