Website Security: Magecart and credit card skimming

14.Jan.2020

Simon Roe

Application security

Online payment skimming operations run by Magecart criminals continue to intensify and develop, reportedly compromising more than 2 million websites with the most infamous attack involving the breach of British Airways in 2018. Where credit card data of nearly 400,000 BA customers were compromised and resulted in a hefty fine of $230million and the moment the world stood up to take note of this new and dominant threat.

Magecart building momentum since 2000s

Magecart attacks are becoming well known in the cyber security community, as its responsible for some high-profile breaches like Ticketmaster and Newegg and is a growing concern for online retailers or any business harnessing consumer credit card data online. If successful, a Magecart attack can be extremely damaging to the consumer whose details have been stolen and severely damaging to the reputation of the organization who suffered the breach.

According to Forrester:

“Magecart is a prominent criminal syndicate and focuses on skimming customer data from web forms to gain credit card numbers and personally identifiable information (PII).”

Magecart is becoming a big challenge for security professionals as it’s a widespread browser-based attack and occurs through malicious injection of JavaScript code and can often go unnoticed by the owner. Often malicious code is placed on payment forms and checkout pages with the intention of stealing customer credit card details with the goal to monetize data and criminal gain. Evidently the earlier cases of third-party shopping cart software exposure foretold this trend that would increase to become a huge risk for online businesses today.

Magecart is a criminal specialism we are seeing more and more of targeting ecommerce websites. Where specialist developers will create ‘kits’ built with the intention of stealing credit card data from online stores but often take no part in the criminal act itself. The ‘kit’ creators earn money either by selling their ‘kits' or by entering into profit-sharing agreements with groups who eventually go on to commit the attack and share the commission between them. Companies affected by Magecart include:

The criminals earn money based on the value of the organization’s data being targeted and is set by those running the illicit stores. However, criminals aren’t biased and will be attracted to any website harnessing credit card data as they look to exploit outdated software vulnerabilities and it isn’t just an issue fit for the biggest online retailers. Criminals aren’t fussy as they look for the easiest means to maximize their criminal intent and shouldn’t be ignored. Routinely we see criminals gain access to various compromised websites via e-commerce content management systems (CMS), proving how important it is for all online ecommerce businesses to secure all their web apps to ensure the door remains firmly shut to these attacks.

Read how Outpost24 helps a multi-channel office supply company, Lomax secure their ecommerce website.

Keep Magecart at bay and stay in control of your application security

For organizations who self-host their e-commerce stores, you need to continuously monitor and test security of your application for vulnerabilities including regular and automated pen testing. If you rely on a third party to host your online store, there is a degree of risk acceptance and you must entrust that third party to maintain the same security practices you expect. Cross-site inclusion of content is extremely common practice and poses a big risk as most sites have heavy dependencies, and often malicious code can sit on the owner’s site without them knowing. Once a website is infected, the payment card information is harvested without the organization being aware that they’ve been compromised.

Cloud hosted online stores are no more or less at risk than any other online websites. Almost all the risks related to Magecart come from outdated ecommerce stores using a standard solution, custom web app vulnerabilities, or breaches hitting a central provider’s hosting scripts and used by multiple other businesses.

How to prevent risk of Magecart attack

If you have an application security solution in place this will eliminate the risk of Magecart attack through:

Complete and continuous application security monitoring: Automated scanning of your website to detect potential malicious threats in real time 24 x7
Human pen testing: Conducted by experts who use the skills demonstrated by hackers to spot security flaws early
Automated alerts: Detect risks in real time so you can patch as soon as an issue is identified
Block WASC and OWASP top 10 vulnerabilities: Scans for common vulnerabilities including XPath injection, XML injection and cross-site scripting
CVE Results: We scan against the CVE catalog (OSI layer 3-7) including remote file execution, insecure indexing, server misconfiguration and framework vulnerabilities