Magento software

Other platforms are at risk for Magecart attacks

Avishai Shafir, Director of Product Management, PerimeterX

The Magecart digital skimming attack group takes its name from the open source e-commerce platform Magento. Most of the online digital skimming attacks undertaken by the so-called “Magecart gangs” target Magento, which still uses many older versions to run e-commerce applications.

But Magecart is now much bigger than Magento. In December 2020, researchers identified a new, more technologically advanced type of Magecart exploit. Designed like other Magecart attacks to extract credit card information from web applications, this one could attack many popular e-commerce platforms and content management systems (CMS). These include Magento, WordPress, Drupal, Shopify, BigCommerce, Salesforce Commerce Cloud, and WooCommerce.

A scourge in the digital age

The emergence of this versatile protein skimmer is one of many indicators that the Magecart gangs are expanding their digital skimming efforts to a wider range of platforms. In May 2021, for example, Magecart gangs were identified as the source of a new variant of digital skimmers called MobileInter targeting mobile browsers and mobile websites. MobileInter has worked to identify mobile users across a wide variety of browsers.

This target expansion is a logical development. By increasing the attack surface, Magecart gangs increase their total addressable market. Equally important, we are seeing Magecart skimmers become more platform independent and designed to run on an unlimited number of applications running the same frameworks and code languages, namely PHP and JavaScript. For security teams and web application operators, protecting their digital storefront means adopting the risk mitigation lessons of Magecart for all e-commerce applications where sensitive financial information about customers is collected.

Since its appearance in 2015, Magecart has become a general description of a wide range of digital skimming attacks on web and mobile applications. Previously focused on point-of-sale (POS) terminals where the skimmers may have been physical or on POS system hacks, skimming has quickly moved to the internet and e-commerce platforms over the past five years. . Today, most personal and financial information skimming occurs on the web and mobile apps during cardless transactions.

This shift has made Magecart and digital skimming one of the most serious and damaging cybersecurity threats to e-commerce, financial services, travel, and government sites. In a Magecart attack, malicious hackers inject a “skimmer,” a piece of unauthorized JavaScript code into payment pages or other pages, where customers enter sensitive information. Some Magecart attacks inject modified forms or entire pages, inserting additional fields to collect unsolicited data on legitimate forms. Skimmers can also narrowly target their attacks; there is a whole family of Magecart attacks that specifically focus on stealing data from cryptocurrency users. Magecart attacks use advanced obfuscation techniques to make it difficult to read or understand the skimmer code.

Often, Magecart skimmers operate for months without the site operators or their security teams being aware of the hack. Since Magecart changes application behavior in subtle ways only on the client side of the application, operators have no easy way to observe the often hard to detect changes in what a user sees. Magecart attacks have successfully compromised thousands of web and mobile applications. The victims include dozens of global brands such as British Airways and Macy’s. The annual cost to online merchants and other operators of Magecart attacks is difficult to calculate precisely because these attacks are counted along with other financial attacks. The tally well exceeds billions of dollars per year in terms of losses, repair costs and damage to reputation. For example, British Airways paid a fine of $ 20 million for failing to protect its customers from a Magecart attack.

How Magecart is evolving beyond Magento

Magecart attacks injecting digital skimmers into web application code have increased during the COVID-19 pandemic and have remained at high levels since then on a more comprehensive array of platforms. Expanding to additional platforms is not rocket science. WordPress, WooCommerce, and Magento use PHP as the main application code base. All use JavaScript, the language of the web, as the primary client language for business logic. This focus allows Magecart gangs to quickly modify an attack targeting one platform to work on another.

Magecart attackers have also acknowledged that third party plugins and addons can provide efficient paths to compromise other platforms. Magecart gangs insert code into source code repositories or create plugin processes for these attacks. Since plugins typically barely change from one ecommerce platform to another, Magecart’s attack code tends to work well on plugins on all platforms. Known as the “supply chain attack,” this style of Magecart compromise is favored by more sophisticated gangs and is even more dangerous as it delivers its payload through trusted third parties. Site operators may not even have visibility into compromised code; they can only identify the anomaly by spotting the changes clients are experiencing.

How to fight against scalable attacks

For security teams and operators operating online e-commerce stores, which do not run on Magento, the risks of Magecart gang skimming attacks increase as the genre evolves into a wider range of platforms – target shapes. Defending against these attacks requires a more complete view of where Magecart’s exploits are likely to strike and the behaviors they are likely to adopt. With this shift to a wider range of targets and cross-platform Magecart code, attacks are more likely to focus on more universal attributes of all of these platforms, such as plugins or shared fields or even favicons, a popular vehicle. to scramble and insert unwanted JavaScript code. . Alternatively, Magecart gangs will program behavior that can recognize specific attributes such as payment forms or credit card requests. This makes Magecart more dangerous because it is more widespread.

More basic cybersecurity tools like Web Application Firewalls (WAFs) do little or nothing to protect against Magecart attacks. WAFs protect against inbound attacks (server side) but do not protect against client side attacks. Some security teams run a static analysis on their web application code to identify changes and anomalies. Magecart attacks escape this by inserting third-party code (like favicons) which is served dynamically. A more effective approach is to use content security policies (CSPs) to guard against business logic and prevent web application code from performing unwanted behavior. CSPs require extensive tuning and are not sufficient protection to protect against compromise, for example, of a trusted domain that injects a skimmer into application code.

Additionally, CSP can control traffic (inbound and outbound) with the domain based on the authorization policy. This method is irrelevant when the attack vector is an authorized domain (like Google or other big software vendors). Applying these restrictions will cause many site failures when developers forget to change the CSP.

To properly guard against all types of Magecart attacks, security teams and site operators should seek solutions that continuously analyze application behavior (client-side security monitoring) to identify minor anomalies that may indicate the problem. presence of a skimmer. Because all skimmers have the same goal, they tend to behave similarly. Machine learning (ML) is an ideal tool to study skimming behaviors and legitimate behaviors of large-scale web applications over billions of interactions.

Using this information, ML technology can recognize common patterns of Magecart behavior and recognize when an application deviates, even slightly, from usual expected behavior. By leveraging real-time behavioral analysis of application behavior and comparing it to past behaviors, retailers can identify real-time Magecart attacks and site operators aware of the problem. As Magecart evolves and expands its target list, knowing the enemy and countering them in real time is the best defense against threat, known and unknown.

PerimeterX provides security services for websites and mobile applications.