Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/11/2019
10:30 AM
Casey Quinn
Casey Quinn
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Getting Up to Speed on Magecart

Greater awareness of how Magecart works will give your company a leg up on the growing threat from this online credit card skimmer. Here are four places to start.

If you're not yet familiar with Magecart, you should be. On May 3, it was revealed that hackers used it to steal payment info from hundreds of online college bookstores. By some estimates, Magecart attacks have resulted in the theft of more credit card information than the high-profile breaches at Home Depot and Target. Beyond the college bookstores, it has hit the likes of Ticketmaster, British Airways, My Pillow, and Newegg in the last year alone. It's time you got up to speed on the topic.

Magecart (pronounced like "age-cart," but with an "m" at the beginning) is a method used to attack the payment systems of online vendors. It is a credit card skimmer (like those attached to the magnetic stripe readers at gas pumps) that intercepts card numbers and information when a payment card is swiped at the point of sale. The data is then saved or transmitted to be used illegally later. However, unlike at the gas pump, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, even for knowledgeable IT professionals, because it takes advantage of universal code and other applications not typically related to payments.

Since first appearing in 2014, Magecart has been adapted by several different groups and for various targets. Each iteration tries to adapt to whatever defenses it encounters and seeks to exploit new vulnerabilities, making it difficult to effectively predict and stop. Leading researchers, like Yonathan Klinjsma, believe the various Magecart breaches have been carried out by at least 12 different groups since the method was first used and have noticed the groups moving beyond credit cards to steal credentials and administrative information as well.

Generally speaking, payments over the Web are relatively secure, with vendors using PCI DSS-compliant systems. As companies look to cut costs and increase efficiency, many use open source code to simplify the coding process and make it more uniform across the board. Others use third-party vendors to handle their payment systems. Although not necessarily bad ideas, these solutions present enterprising hackers with an opportunity to exploit common weaknesses and employ the Magecart attack.

The Newegg.com Breach
Despite not yet being a household name, Magecart is a growing problem. Last year's breach involving Newegg.com illustrates what Magecart does and how it works. According to Volexity Threat Research, on August 13, 2018, the Magecart attackers registered a domain name called neweggstats.com (indicating that the Newegg website was likely compromised beforehand). That same day, the attackers obtained an SSL certificate enabling the new domain to have an air of legitimacy when browsers communicate with it. The skimming started three days later when hackers added eight lines of malicious code to the payment page and continued for almost a month before it was removed.

More specifically, the Magecart attackers inserted malicious JavaScript code on a single page presented during checkout. To get to that page, a customer had to put an item in the cart and input shipping information. At that point, the customer was taken to the payment page that contained malicious code. Once the customer input their information, it was transferred to a Magecart drop server where the back end of the skimmer saved the information. Once attackers accumulated a significant amount of credit card information (about 500,000 credit card numbers), they listed it for sale on underground markets.

Not surprisingly, Newegg revealed little about how exactly it was compromised. Regardless of whether it was poor IT security protocols, bad password management, or human error, if Newegg had tighter controls, this might have been avoided. It appears that whatever security protocols Newegg had in place failed to identify that a breach occurred for nearly a month. The Magecart attackers certainly made a significant effort to ensure that their actions were not obvious, but it is fair to say that the attack went on longer than it should have.

Protecting Your Company
A seemingly endless supply of online retailers and unassuming consumers who are relying on third-party code or other similar systems to facilitate purchases means Magecart is likely to remain a threat. But being aware of Magecart and how it works should give your company an advantage in protecting itself as you consider the following four measures:

1. Reevaluate your current cybersecurity infrastructure. Your system probably already includes some type of logging and a way for reviewing it, but would you, or your IT team, know if a hacker added eight lines of code to your website's payment page? Regardless of the answer, it is always good practice to regularly ensure that your cybersecurity system is prepared for current threats.

2. Is your IT team aware of what Magecart is? Do they know how they would respond? Do you have a cybersecurity incident response plan in place? The way it developed, it appears Newegg found out about the breach from someone else and then had to be reactive instead of proactive. If a researcher contacted your company to alert you about a breach, would you know what to do? Do you have a plan in place for evaluating any damages and communicating about the situation to your customers?

3. Carefully consider the vendors you use for your business (both online and offline), especially with regard to public facing critical systems like the checkout page. Strive to ensure that your vendors have their own cybersecurity response plan in place and are doing all they can to avoid needlessly exposing your data.

4. Avoid payment methods that require transmittal of critical credit card information. Visa has addressed this with a token system in its Visa Checkout system. While it may not be a perfect solution, it is one that removes the exchange of credit card numbers at checkout and that can protect both you and your customer.

Related Content:

Casey Quinn is an associate in Newmeyer & Dillion's Las Vegas office, and a member of the firm's privacy & data security practice. Casey brings his substantial experience in complex business litigation to the table helping businesses proactively navigate the legal landscape ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26244
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
CVE-2020-28206
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...