[Case Study] How a Major Airline is Mitigating Magecart Attacks with Jscrambler

If you are a cybersecurity aficionado you have likely heard of the Magecart cybercriminal groups. Very active since 2018, they are known for injecting web credit card skimmers on e-commerce and payment websites and pose a serious threat to businesses.

In this blog post, we’ll dive into this topic by exploring a case study on how Jscrambler has helped a major airline mitigate Magecart attacks.

Note: As per the request of our clients, we have anonymized all company and personal names.

In a Magecart attack, attackers inject a skimmer that can hijack the submission of a form containing credit card details. These details are then sent to attacker-controlled drop servers. During this whole process, neither the end-user nor the company have any awareness that the attack took place.

While we’ve seen Magecart attacks originating from compromises of first-party and third-party code, attacks targeting third parties are especially critical because they don’t require a first-party server breach or direct access to the company’s website. Attackers can exploit a third-party integration such as a live chat widget to inject the skimmer’s code without being detected.

Because many Magecart attacks occur without any awareness from the users and the affected company, they remain active for months before being detected and taken down. From our own analysis of a sample of known attacks, skimmers remain active for 104 days on average before being detected and taken down.

These attacks pose a significant threat to businesses. Looking back at known Magecart attacks, we see that they have likely originated over $1 billion in direct business losses—notably, the $26 million GDPR fine on British Airways.

Then, we still have to consider the potential deep impact of indirect business losses. Because of negative PR and loss of customer trust following a Magecart data breach, losses in revenue can have a long-lasting impact on the business.

New Magecart attacks are still emerging every week and getting more sophisticated. Companies are gradually understanding the need to think outside the firewall and looking to protect the client-side. But several security approaches commonly associated with Magecart prevention often fail to make the cut against this new wave of sophisticated Magecart skimmers. Some, like domain sinkholing or CSP, are often bypassable; others introduce unsustainable performance drops and cause malfunctions.

While these skimmers keep evolving their tactics, they always display specific types of malicious behavior. As such, a behavior-based approach to Magecart mitigation provides the best chances of detecting and blocking this malicious behavior in real-time. This is precisely what Jscrambler Webpage Integrity has been delivering to E-Commerce enterprises, as we will discuss next.

The Challenges

The 2018 Magecart attack on British Airways made headlines around the world because it managed to silently exfiltrate over 380,000 credit cards and remain active for 15 days before being detected and taken down.

After it was disclosed that initially BA faced a $230 million GDPR fine, the threat of Magecart attacks became much more noteworthy. And as companies started to look for solutions that could actually mitigate this type of sophisticated client-side attack, we were contacted by a major airline with this challenge: to prevent Magecart web skimmers from running undetected on their pages and exfiltrating data.

Just like several other enterprises, this company had web apps running scripts from third parties. One key priority was being able to know when one of these scripts changed behavior. Such a change could potentially be linked to attackers exploiting vulnerabilities of these third-party providers and injecting malicious code that could lead to a Magecart attack.

“After learning about the Magecart attack on British Airways, it became our priority to detect and prevent these attacks from happening to us.” – Jscrambler client, Airline industry

Fast implementation was one of the biggest requirements of this project. Each unmonitored user session could potentially be hiding a web skimmer and the risk of a breach was tangible.

And with the company having such a complex web environment, several other requirements had to be met. For one, the company required a solution that could be easily integrated into the SIEM that it was currently using. Then, it had to guarantee minimal performance overhead, ensuring that the end-users’ experience wouldn’t be negatively affected.

“We had to be alerted immediately when a third-party script started doing things that it shouldn’t do.” – Jscrambler client, Airline industry

The company also wanted to make sure that the solution would work correctly even in scenarios where file names change frequently.

The Solution

Due to the urgency of implementing a solution that was capable of stopping potential Magecart attacks, the company was testing several different vendors.

“Jscrambler has merit in passing every test we threw at it and being able to thwart the web skimming scenarios that we tested.” – Jscrambler client, Airline industry

As such, the company put Jscrambler Webpage Integrity to the test in multiple different attack scenarios. These dozens of tests included being able to detect the illegitimate addition/modification/removal of content to the page (DOM tampering), the poisoning of form events, and the exfiltration of data to a drop server.

Beyond testing the raw detection and mitigation capabilities of Jscrambler, the company also highlighted the exceptional level of control that the tool provides. Unlike most solutions out there, Jscrambler Webpage Integrity provides fine-grained behavior control both based on high-level assumptions and user-defined rules.

“The level of control and the ease of taking out the solution with no impact are added benefits.” – Jscrambler client, Airline industry

Performance was also tested to understand the potential impact that Jscrambler could have when added to the company’s web pages. During these tests, our client found that Jscrambler could easily be taken out with zero impact and this flexibility was very valuable in their case.

After pondering all the factors, from the raw capabilities to the ease of integrating and maintaining the solution, the company concluded that Jscrambler outperformed all other vendors. As a result, they took the step forward of migrating from a PoC environment to a live production one.

The Results

Throughout every stage of the demanding testing process, Jscrambler Webpage Integrity consistently received approval by several different teams and committees within the company, from software development to architecture and legal.

By providing support from a dedicated engineering team, we were able to deliver in this very challenging timeframe. We were successful in ensuring a very smooth transition from PoC to a live environment. During the 2-week learning process after the official kick-off, we were able to fine-tune Jscrambler and ensure it would be ready for the battlefield.

“This solution has met our requirements and we’re confident to deploy it in our live environment to help us prevent a Magecart breach.” – Jscrambler client, Airline industry

More than being able to deliver a timely, robust, and flexible solution to a major airline (and receiving additional confirmation that our solution is the best choice to mitigate Magecart attacks), we’re thrilled to know that millions of travelers benefit from protection against credit card skimmers and enjoy a safer online experience.

Conclusion

Magecart attacks can have devastating impacts on companies which are further aggravated when they don’t have adequate visibility over what is happening.

In this case study, we saw how Jscrambler was able to help a major airline mitigate this threat—but our mission doesn’t stop here. As such, we are offering our Magecart detection technology free of charge for 3 months to help companies begin their journey to Magecart Mitigation.