Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/28/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Magecart Shops for Victims as E-Commerce Market Grows

In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.

Magecart, the e-commerce threat behind security breaches at Ticketmaster, British Airways, and other prominent targets, remains a top concern among researchers: In 2.5 hours, one security expert discovered more than 80 e-commerce sites actively under the control of Magecart groups.

For the report "In Plain Sight II: On the Trail of Magecart," conducted by Aite Group and commissioned by Arxan Technologies, researchers explored the broad attack surface available to cybercriminals when e-commerce apps aren't properly protected. The study, released today, analyzes the trail of servers compromised by Magecart groups, as well as the servers where attackers send data.

Magecart is an umbrella name given to different crime syndicates targeting payment websites, inserting malicious code, and lifting payment card data. It's not a new threat, but it is growing alongside the popularity of more secure payment methods like Apple Pay, Android Pay, and contactless cards. Magecart groups monetize data via Dark Web markets and shipping scams.

Alissa Knight, senior cybersecurity analyst at Aite Group, discovered the cell of 80 actively compromised websites and found 100 more actively compromised sites in additional research, as part of this July study. Some of the targeted websites were victims of more than one group, she discovered. Aite Group and Arxan worked with federal law enforcement to alert the 80 victims of their findings, as well as the staging sites used to collect their stolen information. 

A lack of security controls can expose Web applications to formjacking, an increasingly popular type of attack in which Magecart groups inject e-commerce checkout forms with malicious code that sends shoppers' credit card information to an external server under adversaries' control. Unsecured sites make it easy for attackers to debug and read JavaScript or HTML5 in plain text.

Magecart groups can break into target systems in a number of ways, but formjacking is the most common, says Aaron Lint, chief scientist and vice president of research with Arxan. Other methods include exploiting the Web server or container to inject code, exploiting a coding bug in first-party or third-party code, and hijacking an open source library or third-party component.

"While 25% of the websites are reputable brands, the disturbing thing is how many medium-sized and smaller businesses are getting caught in Magecart's web," Lint continues. "Any website that conducts financial transactions or collects user credentials is a target." Victims ranged from luxury fashion retailers to motorcycle manufacturers and children's learning websites. These target companies were spotted across the United States, Canada, Europe, and Asia-Pacific.

The most common similarity in the victim websites Knight discovered is the use of e-commerce platform Magento. "All of the sites running Magento are running old versions that are vulnerable to an authenticated upload and remote code execution vulnerability that has published exploits available," the report states. The most recent edition of Magento is version 2.1.7; however, many of the compromised websites were running versions 1.5, 1.7, or 1.9.

Arbitrary file upload, remote code execution, and cross-site request forgery all affect version 2.1.6 and below. These versions make it easier for adversaries to inject formjacking code. All of the victim websites lacked in-app protection, such as tamper detection and code obfuscation.

What You Can Do
The potential financial damage of Magecart continues to grow as e-commerce does. A separate pool of research estimates global e-commerce will rise 20.7% to reach $3.53 trillion. By 2021, it's expected to approach $5 trillion. Lint anticipates the continued growth of the e-commerce market will drive the continued evolution of Magecart attacks.

If a target makes it difficult for cybercriminals to act, their attackers will move on. Researchers advise organizations to implement multiple layers of security so as to cause friction for adversaries, and to create a regular patch and vulnerability management policy for applications like Magento and Shopify to ensure they're updated as new releases are made available.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Strategist
8/29/2019 | 4:16:07 PM
What, no names?
We need names of sites so we know which ones to avoid!
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.