Cybersecurity In-Depth
The Edge

The Year of Magecart: How the E-Commerce Raiders Reigned in 2019

Breaching British Airways, Ticketmaster, and Macy's, Magecart attack groups sharply rose in sophistication and pervasiveness this year -- and show no signs of slowing down.

Complex Supply Chains, Greater Vulnerability
While code injection and the attackers may have become more sophisticated, the real problem for defenders is that the sites have become more complex as well. In the past, websites were monolithic affairs — a single developer supplied the code or the service to a company. Over the past decade, however, that has rapidly changed. 

"Now websites are much more complex," says Sandy Carielli, principal cybersecurity and risk analyst at Forrester Research. "You are pulling components, many of which you don't own. To a large extent, this has become a supply chain problem."

The extent of the problem is significant. In its "2019 State of the Software Supply Chain Report," Sonatype found that 51% of Javascript components had a known vulnerability and there has been a 71% increase in open source vulnerabilities over the past five years. At one point in October, 2 million websites showed signs of Magecart skimmers

From an e-commerce perspective, the situation also seems dire. E-commerce platform Magento, a common Magecart target, is used by over 1% of all websites, and 3% of those sites are infected with Magecart at any given point in time, according to threat intelligence firm Flashpoint. About 7% of websites use an e-commerce platform, any of which could be appetizing to Magecart groups.

"Targets are plentiful, actors rarely get caught, and infrastructure is relatively easy to tear down and set up," says Flashpoint's Gluck. "These conditions suggest that there is very low risk and high reward for would-be attackers."

A key part of the Magecart framework is the code that skims credit card information from the page. This component is evolving quickly, says RiskIQ's Klijnsma.

"Traditionally, skimmers were made very generic so they can work on 90% of the payment pages," he says. "We now see a more targeted and tuned-in approach. Skimming used to be a bit novel, but as the criminals get more used to the concept, they get better at building skimmers, making them more efficient and more effective."

As in the case of the Macy's compromise, the attackers are also expanding their reach across the website, he says. "One example of this is that we see groups targeting more than just the checkout pages," Klijnsma says. "Valuable information lives in more places than just the checkout page, and criminals realize this. When they build skimmers that blend into the unique construction of their target website, they can skim information from across the site, not just the checkout page."

Know Your Components
To head off Magecart, companies need to patch and make sure that all components come from trusted software developers that are also doing their due diligence. At each step in the development and deployment cycle, businesses should check to make sure that malicious code is not being injected into their websites and applications, says Forrester's Carielli.

"Firms should look at some of their application security tools used in production and see what they have to protect against Magecart types of attacks," she says. "Are there scanning tools out there to search for code injection in your site and your third-party components?"

Companies also need to make sure their sites are updated soon as soon as a patch is available. Some Magecart attacks happen as soon as the attackers can reverse-engineer a patch, says Flashpoint's Gluck.

"Misconfigured and unpatched sites, combined with weak password policies and lack of multifactor authentication, remain at the heart of Magecart activity," he says. "Companies that do not immediately update to new Magento versions are often susceptible to attack."

With significant fines costing any company that fails to adequately guard their site and their customers' data, protecting against Magecart type attacks should be a priority for any business.

Yet Carielli warns that Magecart is just one of the threats that could lead to a large fine. Companies should make sure they select defenses that best protect them against the broad range of issues they are facing.

"Magecart would certainly be one of the high-cost, high-fine attacks that we will see, but considering that we are dealing with European data breach regulations, other types of breaches and data loss will also continue to be a significant threat," she says.