Inside Magecart: The Importance of Deploying Appropriate Cyber Defenses for Web Applications

Inside Magecart: The Importance of Deploying Appropriate Cyber Defenses for Web Applications

As the world becomes more reliant on the Internet, massive amounts of sensitive information are being transferred via organizations’ websites. This includes payment card information, which is protected both by general data protection regulations (like GDPR) and more specific ones like PCI-DSS.


Payment card information is valuable to hackers since it can easily be used or sold on the black market. One hacker group that has been making recent headlines is Magecart, a group that specializes in stealing payment card information by taking advantage of vulnerabilities in legitimate websites. Their credit and debit card skimming campaigns have netted them hundreds of thousands of customer records. However, these attacks are entirely preventable if an organization takes the appropriate steps to secure their web presence.

The Magecart Group


The Magecart group’s attacks depend upon the use of scripts, which are allowed in web pages for a variety of different reasons – including providing most of the animation and interactivity of a webpage. However, they can also be abused by hackers. The Magecart group has developed a very specific and profitable means of stealing customers’ personal information: by embedding malicious scripts on an organization’s website, they can skim users’ payment card information as they submit it to legitimate sites.


In order for a payment website to work, it needs to have access to the user’s payment card information. The security model of websites means that anything coming from the same place (including malicious scripts embedded in a webpage) have the same permissions to access sensitive resources. This allows Magecart scripts to steal payment card information and then send it on to an attacker-controlled computer.


Multiple different means exist for the Magecart hackers to embed their malicious scripts within a webpage. They can compromise a web server and load their malware onto the server directly or take advantage of digital advertising networks. Ad networks are designed to put third-party content in front of as many eyes as possible, and even legitimate ads often include scripts. Magecart has taken advantage of malvertising as part of their attack campaigns.

High-Profile Magecart Hacks


The Magecart group has been in the news often due to their high level of success in breaking into and stealing sensitive information from large organizations. Some of the Magecart group’s more famous efforts include the theft of sensitive information regarding customers of British Airways and the Magento eCommerce platform.


British Airways

One high-profile Magecart attack was against British Airways. This breach made headlines since it was the incident that spurred the UK’s Information Commissioner’s Office (ICO) to levy a record-breaking GDPR fine against the airline.

In this attack, the Magecart group inserted a malicious script into the payment page where customers can purchase their flights. The modified script would collect the payment card information and send it a URL that looked legitimate but was not, in fact, a real British Airways URL. The plausibility of the attack may have delayed detection, increasing the amount of sensitive information that the Magecart group was able to collect.


Magento Platform



Magento is a platform designed to make the development of eCommerce sites easier. It handles the implementation of the shopping cart functionality and provides flexibility in its look and feel. As a result, it’s a popular tool for developing eCommerce websites.

In August 2019, it was discovered that the Magecart group had compromised an outdated version of the Magento platform. The Magento platform had functionality that would pull a preview of a Vimeo video when adding it to a product. If the file pointed to wasn’t a valid file, Magento would still download it but would throw an error. The Magecart hackers took advantage of this functionality to load their malicious scripts into vulnerable websites.

In total, 80 different eCommerce sites were found to be exploited using this vulnerability and sending customer payment card information to the Magecart group. Since the vulnerabilities used by Magecart to infect these sites were known and fixed in the current version of Magento, this demonstrates the importance of deploying defensive solutions to protect vulnerable web applications.

Securing Data Against Magecart


The Magecart group’s attacks are enabled by their ability to load malicious scripts into websites and have them execute when users are providing sensitive information to the site (like payment card information). The means by which these scripts are added to the site can vary greatly, from a direct compromise of a vulnerable web server to taking advantage of the use of a vulnerable application (like the outdated versions of the Magento eCommerce platform).


The stakes for failing to adequately protect customers’ sensitive data can be very high. Just think about it - the Magecart Breach of British Airways resulted in a fine greater than all of those levied in the first year of GDPR enforcement put together.


The common denominator between the different organizations affected by Magecart is the failure to properly protect and monitor their web resources. Magecart attackers need to be able to inject malicious scripts into an organization’s website in order to be successful.


This is why it is so important to deploy appropriate cyber defenses for web applications, like a strong Web Application Firewall (WAF) - a top-of-the-line WAF has the ability to monitor activity to a website and alert on any anomalies. This can dramatically decrease the probability that an attacker like Magecart will successfully inject and operate a malicious script on a site without detection.

...

item