7 Signs of the Rising Threat of Magecart Attacks in 2019
Magecart attacks continue to grow in momentum. Here are the stats and stories that show what's behind the mayhem.
May 20, 2019
Popping up in various permutations for the better part of four years now, the online payment skimming operations run by Magecart fraudsters continue to intensify in 2019. Targeting vulnerable content management systems used for running payment on e-commerce sites, Magecart once was used to describe the group running these attacks. But as its number widened to as many as 12 major identifiable criminal syndicates, the Magecart moniker is just as likely to refer to the common techniques they use.
Magecart attacks work on the same principles that a POS skimmer would at a physical cash register. The bad guys find a way to quietly insert scripts onto compromised servers running payment systems to steal customer data as it's entered by customers on an e-commerce site, sending that data silently to the attackers without interrupting the payment mechanism.
"With the number of criminal groups operating these skimming campaigns, it's likely one of the biggest threats facing e-commerce right now," said Yonathan Klijnsma, threat researcher for RiskIQ, late last year.
Security experts like Bob Rudis, chief data scientist at Rapid7, believe this has to do with the work done to reduce POS fraud through the use of chip-based credit cards.
"Attackers still want payment card data, since they have their own playbooks full of successful steps they can take to turn digits into dollars,” Rudis recently wrote. "Rather than abandon all this coin, they've refocused their efforts to the server side."
Last year we saw anecdotal evidence of this with high-profile Magecart attacks against the likes of British Airways, Ticketmaster, and NewEgg. The hits keep coming, and the signs are mounting that Magecart is gaining even more momentum this year.
Rapid7's Rudis points to Verizon's "2019 Data Breach Investigations Report" for evidence that attackers are using Magecart attacks to shift to server attacks in a chip-enabled credit card world. Within the report, one stat shows that the industry has reached an almost "50% crossover point," where the balance of payment breaches made on Web app servers and not on Web app servers is inverting.
"These types of [server] attacks fall under the general category of 'Magecart,' which has two primary flavors: attacks in content delivery networks and outright server compromise," he explained. "The 83 breaches documented in the DBIR fall into the latter category and should be a serious wake-up call to any organization that processes payment card data on any portion of its website."
On an individual attack level, one of the first high-profile attacks made public this year hit kitchen appliance maker OXO. The attack itself was actually run over the course of mid-2017 through late-2018, but consumers weren't informed of the risks until January 2019.
According to research by BleepingComputer, at least one of the multiple compromises reported in January followed the standard Magecart playbook, injecting JavaScript script into the code of OXO's checkout page to skim customer data.
Meantime, the most recent anecdotal evidence of 2019 Magecart mayhem came by way of an attack uncovered last week against Forbes' magazine subscription site. Discovered by Troy Mursch, chief research officer at Bad Packets, the Magecart infection once again came by JavaScript embedded by attackers in the site's HTML source code, according to a report from The Register. Officials with Forbes say they don't believe attackers managed to steal information with the attack, but recent subscribers to Forbes' print publication were urged to keep a lookout for fraudulent activity in the coming months.
The Forbes attack was likely tied to a broader Magecart blanket campaign that was also uncovered in the past week by researcher Willem de Groot, who found it targeting marketing software that's at the heart of the software supply chain for e-commerce payment platforms. Similarly, he found earlier in the month that Magecart skimmers were going to the supply chain by attacking payment gateways used by payment content management platforms.
"Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a 'shotgun' approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative," wrote RiskIQ's Klijnsma. Suppliers included AdMaxim, CloudCMS, and Picreel, he noted.
Forbes reported that it is, in fact, a customer of Picreel, which could be where the attack against it originated.
The 'Mage' behind the Magecart moniker comes from the predominant attack pattern targeting sites using the Magneto platform. But as researchers with RiskIQ point out, these style attacks spread well beyond these sites.
"For every Magecart attack that makes headlines, we detect thousands more that we don't disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms," wrote Klijinsma earlier this month.
For example, his team found that the most recently active group committing Magecart attacks has been focusing not only on Magneto, but also OpenCart and OSCommerce.
Meantime, lookalike attacks are mounting to the point where some in the community are wondering whether Magecart is even descriptive enough to describe a broadening class of attacks. A recent report on a new version of what researchers are calling "JavaScript sniffers" (JS sniffers) found that similar but slightly different attacks are coming out of the woodwork in volume. Researchers say at least 38 families of JS sniffers are in the wild that try to compromise e-commerce websites' checkout pages to intercept payment data.
"JS Sniffers is a type of malware that remains poorly researched. Despite its simplicity, it is capable of causing massive financial and reputational damage to huge international corporations and therefore should not be underestimated," wrote Dmitry Volkov, CTO and head of threat intelligence for Group-IB. "The umbrella term Magecart given to these attacks by RiskIQ analysts should be much broader than that. There are many more groups using distinct families of JS Sniffers capable of targeting online stores."
Meantime, lookalike attacks are mounting to the point where some in the community are wondering whether Magecart is even descriptive enough to describe a broadening class of attacks. A recent report on a new version of what researchers are calling "JavaScript sniffers" (JS sniffers) found that similar but slightly different attacks are coming out of the woodwork in volume. Researchers say at least 38 families of JS sniffers are in the wild that try to compromise e-commerce websites' checkout pages to intercept payment data.
"JS Sniffers is a type of malware that remains poorly researched. Despite its simplicity, it is capable of causing massive financial and reputational damage to huge international corporations and therefore should not be underestimated," wrote Dmitry Volkov, CTO and head of threat intelligence for Group-IB. "The umbrella term Magecart given to these attacks by RiskIQ analysts should be much broader than that. There are many more groups using distinct families of JS Sniffers capable of targeting online stores."
Popping up in various permutations for the better part of four years now, the online payment skimming operations run by Magecart fraudsters continue to intensify in 2019. Targeting vulnerable content management systems used for running payment on e-commerce sites, Magecart once was used to describe the group running these attacks. But as its number widened to as many as 12 major identifiable criminal syndicates, the Magecart moniker is just as likely to refer to the common techniques they use.
Magecart attacks work on the same principles that a POS skimmer would at a physical cash register. The bad guys find a way to quietly insert scripts onto compromised servers running payment systems to steal customer data as it's entered by customers on an e-commerce site, sending that data silently to the attackers without interrupting the payment mechanism.
"With the number of criminal groups operating these skimming campaigns, it's likely one of the biggest threats facing e-commerce right now," said Yonathan Klijnsma, threat researcher for RiskIQ, late last year.
Security experts like Bob Rudis, chief data scientist at Rapid7, believe this has to do with the work done to reduce POS fraud through the use of chip-based credit cards.
"Attackers still want payment card data, since they have their own playbooks full of successful steps they can take to turn digits into dollars,” Rudis recently wrote. "Rather than abandon all this coin, they've refocused their efforts to the server side."
Last year we saw anecdotal evidence of this with high-profile Magecart attacks against the likes of British Airways, Ticketmaster, and NewEgg. The hits keep coming, and the signs are mounting that Magecart is gaining even more momentum this year.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024