By Pedro Fortuna, CTO, Jscrambler
Magecart has certainly garnered mainstream media attention over the last couple of years. Perhaps it’s the high profile nature of many of their targets (British Airways, Forbes, Equifax, Macy’s) to name but a few. Magecart is best described as a cybercrime syndicate that specialises in cyberattacks involving digital credit card theft, by skimming online payment forms. And they are not victimless crimes – hundreds of thousands of customers typically have their card details stolen in such attacks. With so many organisations of all shapes increasingly committing to cybersecurity, what can be done about the threat that Magecart poses?
Not all Magecart groups adopt the same strategies to breach websites. Some choose a first-party breach (either directly by breaching the first-party server, or indirectly by infecting code that is later pulled to the server as part of the build process). However, the majority pursue an attack via third-parties, inserting the malicious skimmer’s code into externally sourced scripts that companies run on their websites – e.g. live chat, widgets, or analytics say. Immediately after they become compromised, these scripts start covertly serving the web skimmer to shoppers that visit the payment page.
There’s a reason why attackers look at third-party scripts and see low-hanging fruit. These scripts are the weakest link in the web supply chain, as companies that use them actually have zero control over their security. In the sense that the attack originates from a source that is trusted by default (a legitimate third-party supplier), this malicious code can easily bypass firewalls and similar detection mechanisms.
If, as a business, you interact with customers using an eCommerce platform or website, then you need to be 100% sure that the website content that your customers are receiving is what you expect them to receive. Are your potential customers interacting with a trustworthy site or has it already been tampered with by attackers? You might be surprised to learn that in many cases, neither business owners nor security teams have a definitive answer. With so many years spent focusing on the server-side of security, what happens on the client-side (i.e. the browser and the environment where Magecart attacks operate) tends to go widely unnoticed.
There have been enough Magecart attacks now to enable study and analysis. It is clearly understood that there’s no guaranteed way of preventing these types of attacks altogether. However, organisations can shift their attention to what is happening on the client-side. In essence, if organisations cannot be clear about what code their users are receiving upon visiting the checkout page, they clearly have a massive client-side security gap. And this is where Magecart thrives.
Organisations should definitely vet third-party code and their suppliers’ security (or lack thereof). However, this often takes second place to product development. The job ultimately falls to any client-side security systems that are in place. In most cases, however, none seem able to prevent Magecart. And it’s not like Magecart attackers are waiting around for organisations to play catch up.
Evidence shows that Magecart web skimming attacks are growing more sophisticated with each iteration. Recent versions of Magecart are using bot detection techniques to avoid detection by some security solutions, making it even harder to stop the skimmer in its tracks. It makes sense therefore, that the way we address these attacks develops in a similar fashion. By adopting an evolving security mindset (instead of looking for a solution that prevents un-preventable malicious code injections) organisations will be better equipped to detect such injections and quickly block Magecart attacks. Third-party management and validation is a good start, but not enough. Vetted scripts can change behaviour, so the key is to only trust these scripts if they don’t change their behaviour. A live chat script should not interact in any way with the payment form. A script that never sends information out should never be able to send data to an unvetted domain. Rather than vetting the code, restricting these behaviours is what makes a good defence – effectively employing a defence-in-depth strategy.
Some Magecart attacks have remained undetected for longer than 6 months and, as we learned from the British Airways breach, attackers were able to steal the credit card details of nearly 400k customers in just 15 days. A great example to highlight the fact that many organisations don’t know when a malicious skimmer is running on their websites. This is the issue that should be addressed most urgently. When a Magecart skimmer finds its way onto a company’s website, the company must be able to instantly detect it, block the code, and keep its users safe. To get there, organisations need real-time visibility of malicious code and pave the way to automating Magecart mitigation.
Looking back at how much Magecart web skimming attacks grew in 2020, it seems that attackers look set to maintain the upper hand throughout 2021. E-Commerce businesses are still mostly unprepared security-wise. And with massive fines to be levied if you are found in breach, along with any reputational damage arising from such attacks (difficult to calculate), the stakes are very high. At the end of the day, timing is the answer. If E-Commerce businesses gain the ability to detect Magecart in seconds (rather than months), then Magecart-style attacks could soon become a thing of the past.
About the Author
Pedro Fortuna is the Co-Founder and CTO of Jscrambler, where he leads the application security research activities and lays out the technical vision for all the products developed by the company. Pedro holds a degree in Computing Engineering and an MSc in Computer Networks and has more than a decade of experience researching and working in the application security area. He is a regular speaker at cybersecurity conferences and software development events, including multiple-time speaker at OWASP events. His research interests lie in the fields of Application Security, Reverse Engineering, Malware, and Software Engineering. Pedro is also the author of several patents in application security.