3 Main Steps to Prevent Magecart Attacks

Prevent Magecart refers to overcoming possible cyberattacks involving digital credit card theft by skimming online payment forms.

Gaining mainstream media attention over the last year or so, their most recent high-profile attack was on photography retailer Focus Camera.

Focus Camera: Magecart Attack Examples

Their website got hacked by Magecart attackers who injected malicious code that stole customer payment card details. The script loaded at checkout captured billing information and sent it to the attacker’s server.

Focus Camera just added their name to the growing list of well-known organizations that have fallen victim to similar attacks (British Airways, Newegg, Macy’s) during the last year, with hundreds of thousands of customers typically having their card details stolen.

The Magecart credit card skimming approach is often to insert the malicious skimmer’s code into their target’s third-party providers (which has come to be known as web-based supply chain attacks).

The attack on British Airways, Equifax, Forbes, and thousands of others was all achieved via malicious code that was injected into company websites via third-parties and then run in its users’ browsers. In this way, a company’s website or web app has become the perfect stage from which to steal customer data.

And let us not forget the huge financial downside for those companies.

After the attack on British Airways, for example, it was announced that the Information Commissioner’s Office (those responsible for upholding the UK’s information rights in the public interest) announced their intention to fine British Airways (BA) £183.39 million for breaches of GDPR. And while BA offered to reimburse customers who suffered financial loss as a result of the breach, they never actually admitted liability for this breach.

Reputational damage arising from such a high-profile attack is difficult to calculate, and there are signs of ambulance-chasing outfits seeking to reimburse those individuals affected, a kind of PPI-style payout scenario. The stakes are very high.

• What can organizations do in the face of such large-scale attacks with such far-reaching consequences?
  
  

• How to prevent Magecart attacks?
  
  

Uncover your security blind spots

If you are serving your customers via any kind of e-commerce platform or website, then are you sure that the website content that your customers are receiving is what you expect them to receive?

Is the website that your potential customers are interacting with a bona fide site and not one that has already been tampered with by hackers? Typically, neither business owners nor security teams have a definite answer to this question.

A decades-long focus on server-side security has resulted in almost everything that happens on the client-side (i.e., the browser and the environment where Magecart attacks operate) going widely unnoticed.

Enough postmortem analyses of Magecart attacks have been made, and we now understand that there’s no guaranteed way of preventing these types of attacks altogether.

We can, however, shift our attention to what is happening on the client-side. If organizations still can’t clearly answer the question "What code are my users receiving when they visit my checkout page?”, then they have a massive client-side security gap where Magecart thrives.

Understand and fill the client-side security gap

Not all Magecart groups use the same strategies to breach e-commerce websites.

Some opt for a first-party breach, either directly by breaching the first-party server or indirectly by infecting code that is later pulled to the server as part of the build process, but the majority pursue an attack via third-parties, considered the weakest link.

This weak link often refers to scripts that companies run on their websites, such as live chat, widgets, analytics, or other utilities, and so companies that use them actually have zero control over their security. Because the attack originates from a source that is trusted by default, a legitimate third-party supplier, this malicious code easily bypasses firewalls.

The enterprise should vet third-party code and its suppliers’ security (or lack thereof). However, this often loses priority to product development. The job ultimately falls to the client-side security systems in place; often, none seem able to prevent Magecart.

Magecart attacks are becoming more sophisticated.

Recent versions of Magecart are using bot detection techniques to avoid detection by some security solutions, making it even harder to stop the skimmer in its tracks. It makes sense that the way we address these attacks evolves in a similar fashion.

Protect against future attacks

What can be done to mitigate such Magecart-style attacks?

Considering an evolving security mindset, instead of looking for a solution that prevents unpreventable malicious code injections, the enterprise should seek to be able to detect these injections and quickly block Magecart attacks.

Third-party management

Third-party management and validation are a good start, but not enough.

Vetted scripts can change behavior, so the key is to only trust these scripts if they don’t change their behavior. A live chat script has no business touching the payment form. A script that never sends information out should never be able to send data to an unvetted domain.

More than vetting the code, restricting these behaviors is what makes a good defense by employing a defense-in-depth strategy.

Defense strategy

And this is where organizations are failing.

Some Magecart attacks have remained undetected for longer than six months, and, as we learned from the British Airways breach, it only took (allegedly) 15 days to steal the credit card details of over 380,000 customers.

This makes it clear that organizations don’t really have a way of knowing when a malicious skimmer is running on their websites. And so this is the issue that should be addressed most urgently: when a Magecart skimmer somehow finds its way into a company’s website, the company must be able to instantly detect it, block the code, and keep its users safe.

To achieve this, organizations should put in place a web page monitoring solution so that they gain real-time visibility of malicious code and pave the way to automating Magecart mitigation.

The ongoing wave of Magecart attacks shows how unprepared e-commerce businesses are, security-wise.

Timing is key.

If e-commerce businesses gain the ability to detect Magecart in seconds, then we are looking at a decade where Magecart’s headline-making days are numbered.

This article was originally published on The Next Web.

Learn more about Web Supply Chain Attacks like Magecart with our free white paper.