Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/28/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Magecart Shops for Victims as E-Commerce Market Grows

In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.

Magecart, the e-commerce threat behind security breaches at Ticketmaster, British Airways, and other prominent targets, remains a top concern among researchers: In 2.5 hours, one security expert discovered more than 80 e-commerce sites actively under the control of Magecart groups.

For the report "In Plain Sight II: On the Trail of Magecart," conducted by Aite Group and commissioned by Arxan Technologies, researchers explored the broad attack surface available to cybercriminals when e-commerce apps aren't properly protected. The study, released today, analyzes the trail of servers compromised by Magecart groups, as well as the servers where attackers send data.

Magecart is an umbrella name given to different crime syndicates targeting payment websites, inserting malicious code, and lifting payment card data. It's not a new threat, but it is growing alongside the popularity of more secure payment methods like Apple Pay, Android Pay, and contactless cards. Magecart groups monetize data via Dark Web markets and shipping scams.

Alissa Knight, senior cybersecurity analyst at Aite Group, discovered the cell of 80 actively compromised websites and found 100 more actively compromised sites in additional research, as part of this July study. Some of the targeted websites were victims of more than one group, she discovered. Aite Group and Arxan worked with federal law enforcement to alert the 80 victims of their findings, as well as the staging sites used to collect their stolen information. 

A lack of security controls can expose Web applications to formjacking, an increasingly popular type of attack in which Magecart groups inject e-commerce checkout forms with malicious code that sends shoppers' credit card information to an external server under adversaries' control. Unsecured sites make it easy for attackers to debug and read JavaScript or HTML5 in plain text.

Magecart groups can break into target systems in a number of ways, but formjacking is the most common, says Aaron Lint, chief scientist and vice president of research with Arxan. Other methods include exploiting the Web server or container to inject code, exploiting a coding bug in first-party or third-party code, and hijacking an open source library or third-party component.

"While 25% of the websites are reputable brands, the disturbing thing is how many medium-sized and smaller businesses are getting caught in Magecart's web," Lint continues. "Any website that conducts financial transactions or collects user credentials is a target." Victims ranged from luxury fashion retailers to motorcycle manufacturers and children's learning websites. These target companies were spotted across the United States, Canada, Europe, and Asia-Pacific.

The most common similarity in the victim websites Knight discovered is the use of e-commerce platform Magento. "All of the sites running Magento are running old versions that are vulnerable to an authenticated upload and remote code execution vulnerability that has published exploits available," the report states. The most recent edition of Magento is version 2.1.7; however, many of the compromised websites were running versions 1.5, 1.7, or 1.9.

Arbitrary file upload, remote code execution, and cross-site request forgery all affect version 2.1.6 and below. These versions make it easier for adversaries to inject formjacking code. All of the victim websites lacked in-app protection, such as tamper detection and code obfuscation.

What You Can Do
The potential financial damage of Magecart continues to grow as e-commerce does. A separate pool of research estimates global e-commerce will rise 20.7% to reach $3.53 trillion. By 2021, it's expected to approach $5 trillion. Lint anticipates the continued growth of the e-commerce market will drive the continued evolution of Magecart attacks.

If a target makes it difficult for cybercriminals to act, their attackers will move on. Researchers advise organizations to implement multiple layers of security so as to cause friction for adversaries, and to create a regular patch and vulnerability management policy for applications like Magento and Shopify to ensure they're updated as new releases are made available.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26788
PUBLISHED: 2021-03-08
Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected by incorrect input validation, which may cause a denial of service (DoS). To exploit the vulnerability, an attacker needs to have TCP connectivity to the target system. Receiving a maliciously crafted TCP packet from an unauthentic...
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.