What is Magecart?

In the digital age, online shopping has become a routine for many, offering convenience but also exposing people to cybercrime risks. One such threat is Magecart, an attack targeting online businesses to steal customers’ credit card information. This article explores what Magecart is, how it operates, and most importantly, how you can protect your business from this dangerous threat.

What is Magecart?

Magecart, originating from the ecommerce platform Magento, is a cyberattack strategy aimed at online businesses, intending to pilfer sensitive data, particularly payment card details. These assaults involve web skimming and trace back to the Magecart hacker collective, which emerged in 2015, initially targeting prominent global brands. By exploiting vulnerabilities in third-party ecommerce and e-service platforms, attackers implant malicious code into an online retailer’s payment pages via the browser to extract information. This code intercepts payment card data inputted by site visitors during checkout and transfers it to a domain controlled by the attacker for collection.

Due to their browser-based nature, Magecart attacks are challenging to identify, often concealed within legitimate code on the retailer’s website. Executed on the client side, these attacks evade detection by conventional web security measures like web application firewalls (WAFs). Consequently, Magecart attacks can persist undetected for extended periods, jeopardizing customers who unwittingly provide their credit card details on compromised websites, thus endangering their sensitive information.

How does Magecart work?

Mass and targeted Magecart attacks are executed through various methods, typically comprising three primary stages:

1. Infiltration: Attackers gain entry to the retailer’s website by exploiting script vulnerabilities or targeting third-party vendors via supply chain attacks.
2. Implantation: Evolving techniques are employed to implant malicious code and evade detection. Examples include:
   • Injecting malicious code directly into sensitive payment pages to skim information.
   • Generating counterfeit payment forms on authentic brand sites through code manipulation.
   • Redirecting users to fake sites resembling authentic ones for completing transactions.
   • Concealing recognizable third-party vendor code, like Google Tag Manager.
3. Data exfiltration: The attacker retrieves and dispatches customers’ credit card details to their own server, facilitating fraudulent transactions or sale on the dark web.

Impact of Magecart Attacks

Here are several potential consequences of Magecart attacks:

1. Theft of personal information: While primarily targeting credit card details, Magecart attacks can also result in the theft of personal data, potentially impacting millions of shoppers.
2. Revenue loss: Following a Magecart breach, small to medium-sized eCommerce retailers may experience a notable decline in online sales due to diminished customer trust in their security measures.
3. Further infection: If a Magecart group obtains user login and administrator credentials, they can expand their attack to infect additional websites. For instance, during the VisionDirect.co.uk breach, a Magecart group not only compromised the main site but also the retail sites of seven other European countries.
4. Legal and compliance repercussions: A Magecart attack exposes companies to lawsuits from affected customers, potential legal penalties under regulations like GDPR, and industry sanctions such as PCI DSS audits and restrictions on credit card processing capabilities.

Examples of Magecart Victims

Here are some prominent instances of organizations targeted by Magecart groups:

1. Magento: Initially, Magecart aimed at Magento, a third-party shopping software. The name “Magecart” itself combines “shopping cart” and “Magento,” with Magento and other eCommerce software providers like OpenCart remaining primary targets for Magecart groups.
2. British Airways: British Airways disclosed a breach of its website and mobile application, leading to the theft of payment information from 380,000 customers. RiskIQ attributed the breach to Magecart, highlighting the direct compromise of British Airways’ website through exploitation of its unique functionality and structure. Magecart attackers replicated JavaScript payment forms from the website, modifying them to transmit payment details to a server under their control while ensuring functionality in end-user browsers. Furthermore, recognizing similarities between the web and mobile applications, the attackers extended their access to mobile users, many of whom were among the affected victims.
3. Amazon S3 Buckets: RiskIQ uncovered Magecart’s extensive compromise of numerous third-party web suppliers, surpassing previous reports. Magecart actors automated the process by scanning for misconfigured Amazon S3 buckets, compromising a substantial number impacting over 17,000 domains, including those ranking highly on Alexa.
4. Hanna Andersson: In 2020, Hanna Andersson, an American children’s apparel maker and online retailer, disclosed a hack on its eCommerce platform, where malicious code was injected to pilfer customers’ payment information over nearly two months. The Magecart attack went unnoticed until compromised credit cards surfaced on the dark web. Consequently, Hanna Andersson agreed to a $400K settlement in a California Consumer Privacy Act (CCPA) related breach lawsuit, offering compensation to over 200,000 affected US-based customers who made purchases during a specified period.

How to Protect your Business From Magecart

Protecting your business from Magecart attacks requires a comprehensive approach encompassing various steps to fortify your website and maintain customer trust.

Understand and Mitigate Third-Party Risks: Begin by creating an inventory of all third-party resources integrated into your website, assessing their associated risks, and ensuring vendors conduct regular vulnerability audits.

Keep Software Up to Date: Maintain all software used on your website, including content management systems and payment processing software, with the latest security patches to mitigate potential vulnerabilities.

Implement Client-Side Visibility: Establish a Content Security Policy (CSP) to manage trusted domains executing on your website. While CSPs help block unauthorized scripts, supplement this with a solution that monitors and provides visibility into script behaviors executed within browsers to detect and defend against potential attacks.

Steps for Merchants to Prevent Magecart Attacks:

• Identify Third-Party JavaScript: Compile an inventory of all third-party JavaScript code on your website.
• Request Third-Party Code Audits: Encourage third-party vendors to audit their code to ensure its authenticity and absence of malicious elements.
• Prefer First-Party Services: Whenever feasible, host software on your servers rather than relying heavily on third-party services.
• Implement HTTP Content-Security-Policy Headers: Add an extra layer of protection against cross-site scripting (XSS), clickjacking, and code injection attacks.

Modern solutions dedicated to client-side protection can effectively thwart Magecart attacks and similar threats.

Consumer Protection Measures:

While eCommerce merchants are responsible for securing their websites, consumers can take proactive steps to protect themselves:

• Exercise Caution with Personal Information: Avoid entering personal details on untrusted websites.
• Use Single-Use Credit Cards: Employ services like privacy.com to generate one-time-use credit cards for online transactions.
• Verify Domain URLs: Ensure the website domain is legitimate and not a fraudulent copycat created by attackers.
• Use Browser Plugins: Employ plugins to block JavaScript from untrusted sites, reducing the attack surface. Note that this method doesn’t safeguard against embedded malicious code on trusted sites.
• Block Connections to Malicious IP Addresses and Domains: Administrators can configure corporate or managed devices to block connections to known malicious IP addresses and domains.

By combining proactive measures on both the merchant and consumer sides, the risk of Magecart attacks can be significantly mitigated, bolstering security and maintaining trust in online transactions.

FAQ’s

What exactly is Magecart?

Magecart is a form of cyberattack primarily aimed at online businesses, particularly those involved in eCommerce. It involves the theft of sensitive data, especially credit card information, by implanting malicious code into the target website’s payment pages.

How do Magecart attacks operate?

Magecart attacks typically consist of three main stages: infiltration, implantation, and data exfiltration. Attackers exploit vulnerabilities in websites or third-party services to insert malicious code, which then captures and sends users’ payment card details to the attackers’ servers.

What are the potential impacts of Magecart attacks?

Magecart attacks can lead to various consequences, including theft of personal information, revenue loss for affected businesses, further infections spreading to additional websites, and legal and compliance repercussions such as lawsuits and penalties.

Can you provide examples of organizations targeted by Magecart groups?

Certainly. Some notable victims of Magecart attacks include Magento, British Airways, Amazon S3 Buckets, and Hanna Andersson. These instances highlight the wide-ranging impact Magecart attacks can have on both large corporations and smaller businesses.

How can businesses protect themselves from Magecart attacks?

Businesses can implement several measures to safeguard against Magecart attacks, including understanding and mitigating third-party risks, keeping software up to date, and implementing client-side visibility solutions to monitor and detect malicious activities.

What steps can merchants take to prevent Magecart attacks?

Merchants can take proactive steps such as identifying third-party JavaScript, requesting code audits from third-party vendors, preferring first-party services, and implementing HTTP Content-Security-Policy headers to fortify their websites against Magecart attacks.

Are there any measures consumers can take to protect themselves from Magecart attacks?

Yes, consumers can protect themselves by being cautious with personal information, using single-use credit cards for online transactions, verifying domain URLs, employing browser plugins to block JavaScript from untrusted sites, and blocking connections to known malicious IP addresses and domains.

How can a comprehensive approach benefit both merchants and consumers in combating Magecart attacks?

By combining proactive measures on both sides, merchants can enhance their website security, while consumers can mitigate risks associated with online transactions. This collaborative effort reduces the likelihood of Magecart attacks, fostering trust and safety in the online shopping ecosystem.

Conclusion

Magecart attacks present a pressing threat in today’s online commerce landscape, emphasizing the urgency of robust cybersecurity. Understanding these attacks, implementing proactive defense measures, and fostering collaboration between merchants and consumers are vital steps in mitigating risks. By prioritizing cybersecurity, we can fortify eCommerce ecosystems and ensure trust and security for all involved.