Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/28/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Magecart Shops for Victims as E-Commerce Market Grows

In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.

Magecart, the e-commerce threat behind security breaches at Ticketmaster, British Airways, and other prominent targets, remains a top concern among researchers: In 2.5 hours, one security expert discovered more than 80 e-commerce sites actively under the control of Magecart groups.

For the report "In Plain Sight II: On the Trail of Magecart," conducted by Aite Group and commissioned by Arxan Technologies, researchers explored the broad attack surface available to cybercriminals when e-commerce apps aren't properly protected. The study, released today, analyzes the trail of servers compromised by Magecart groups, as well as the servers where attackers send data.

Magecart is an umbrella name given to different crime syndicates targeting payment websites, inserting malicious code, and lifting payment card data. It's not a new threat, but it is growing alongside the popularity of more secure payment methods like Apple Pay, Android Pay, and contactless cards. Magecart groups monetize data via Dark Web markets and shipping scams.

Alissa Knight, senior cybersecurity analyst at Aite Group, discovered the cell of 80 actively compromised websites and found 100 more actively compromised sites in additional research, as part of this July study. Some of the targeted websites were victims of more than one group, she discovered. Aite Group and Arxan worked with federal law enforcement to alert the 80 victims of their findings, as well as the staging sites used to collect their stolen information. 

A lack of security controls can expose Web applications to formjacking, an increasingly popular type of attack in which Magecart groups inject e-commerce checkout forms with malicious code that sends shoppers' credit card information to an external server under adversaries' control. Unsecured sites make it easy for attackers to debug and read JavaScript or HTML5 in plain text.

Magecart groups can break into target systems in a number of ways, but formjacking is the most common, says Aaron Lint, chief scientist and vice president of research with Arxan. Other methods include exploiting the Web server or container to inject code, exploiting a coding bug in first-party or third-party code, and hijacking an open source library or third-party component.

"While 25% of the websites are reputable brands, the disturbing thing is how many medium-sized and smaller businesses are getting caught in Magecart's web," Lint continues. "Any website that conducts financial transactions or collects user credentials is a target." Victims ranged from luxury fashion retailers to motorcycle manufacturers and children's learning websites. These target companies were spotted across the United States, Canada, Europe, and Asia-Pacific.

The most common similarity in the victim websites Knight discovered is the use of e-commerce platform Magento. "All of the sites running Magento are running old versions that are vulnerable to an authenticated upload and remote code execution vulnerability that has published exploits available," the report states. The most recent edition of Magento is version 2.1.7; however, many of the compromised websites were running versions 1.5, 1.7, or 1.9.

Arbitrary file upload, remote code execution, and cross-site request forgery all affect version 2.1.6 and below. These versions make it easier for adversaries to inject formjacking code. All of the victim websites lacked in-app protection, such as tamper detection and code obfuscation.

What You Can Do
The potential financial damage of Magecart continues to grow as e-commerce does. A separate pool of research estimates global e-commerce will rise 20.7% to reach $3.53 trillion. By 2021, it's expected to approach $5 trillion. Lint anticipates the continued growth of the e-commerce market will drive the continued evolution of Magecart attacks.

If a target makes it difficult for cybercriminals to act, their attackers will move on. Researchers advise organizations to implement multiple layers of security so as to cause friction for adversaries, and to create a regular patch and vulnerability management policy for applications like Magento and Shopify to ensure they're updated as new releases are made available.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Strategist
8/29/2019 | 4:16:07 PM
What, no names?
We need names of sites so we know which ones to avoid!
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.