Magecart Attack

Magecart attacks typically follow one of two approaches: a first-party attack or a third-party attack.

First-party attack

In a first-party attack, malicious actors access the victim’s website and directly place the skimmer on the payment page. Some examples of Magecart attacks that followed the first-party approach include the 2018 attack on British Airways (that leaked over 400,000 credit card details) and the 2022 attack on the Segway online store (whose figures remain undisclosed).

Third-party attack

In a third-party attack, this malicious code is injected through a third-party provider that the victim company is using: an approach known as a supply chain attack. Magecart supply chain attacks are especially critical because they don’t require a first-party server breach or direct access to the company’s website. Even companies with robust Web Application Firewalls and server-side security are susceptible to these attacks because they exploit client-side security weaknesses.

Because modern websites rely, on average, on 35 different pieces of third-party code, each one of them could present attackers with a way into the system.

In a Magecart attack, attackers inject the skimmer (through malicious JavaScript code) into a company’s payment page. This code actively listens to events happening on the page and collects credit card details whenever a user submits them in a form (event hijacking). These details are then sent to attacker-controlled drop servers.

Throughout the process, it’s common for neither the end-user nor the company to be aware that the attack occurred. Because of this, a significant number of Magecart attacks remain active for months before being detected and taken down.

1. British Airways

One of the biggest recent examples of a Magecart attack occurred in 2018 at British Airways, which was specifically targeted.

This attack targeted the payment methods on the website and mobile app, resulting in the personal data leak of nearly 400,000 customers. The attackers copied the Javascript payment forms from the website and modified them, allowing them to send the payment information to a server controlled by the attackers.

This malicious code remained active and undetected for 15 days, and, as a GDPR fine, British Airways had to pay a total of £183 million for not preventing the attack or keeping their customer's data safe.

2. Ticketmaster

In 2018, Ticketmaster announced that payment information had been stolen from its websites.

Upon investigation, it was concluded that the attackers used Magecart operators who placed skimmers on checkout pages through third-party vendors. They also attacked the third parties themselves, which gave the attackers access to more than 800 e-commerce sites.

3. Forbes

In 2019, the renowned US magazine Forbes also suffered a magecart attack. When its users were entering their data on the magazine's subscription page, the attackers used injected web-skimming scripts to access their data: names, addresses, contact numbers, and emails, as well as the credit cards’ expiration dates and CVV/CVC verification codes.

Learn more about the 7 biggest magecart attacks to date and what to learn from them at Jscrambler's blog.

While Magecart has certainly entered the radar of several companies over the past few years, dealing with a new and constantly mutating attack vector is a tough security challenge.

If we put a typical Magecart attack under the microscope, we will find two key problems:

• Problem 1: the inability to detect a web skimmer when it’s running on the client-side;

• Problem 2: the lack of capabilities to mitigate the attack.
  
  

The prevention strategy

As such, the first step in a Magecart prevention strategy must be gaining client-side visibility. Companies can easily achieve this by using webpage inventory technology that actively monitors the client side, looking for signs of malicious behavior. Some examples of typical Magecart behavior are a third-party script tampering with a payment form, payment data being sent out to an unknown domain, etc.

After gaining visibility, companies need the ability to block malicious behavior, ideally without disrupting the customer experience. This is where it can get even trickier, as some novel security approaches are often unstable and can break the entire website.

A proper Magecart mitigation strategy must be able to block the source of the malicious behavior in real-time, regardless of the strategy used by the attackers, ensure that no data is leaked, and keep the user experience intact throughout the whole process.