Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Breaching British Airways, Ticketmaster, and Macy's, Magecart attack groups sharply rose in sophistication and pervasiveness this year -- and show no signs of slowing down.

6 Min Read
image by <a href="https://img.deusm.com/darkreading/theedge/602x250_magecart.jpg" target="new">Elnur</a>, via Adobe Stock

In mid-October, an online criminal group used embedded code to skim personal and financial information from visitors who purchased goods while shopping on Macy's e-commerce site.  

While the retail giant notified customers on Nov. 15, the company has yet to release details of the attack. For example, hHow many customers were impacted by the breach remains unknown.

Researchers, however, believe the intruders belong to a loose grouping of cybercriminal gangs known as Magecart groups, named for their habit of skimming financial details from shopping carts and, often, the Magento e-commerce platform. 

This particular group had upped its game: The attackers had tightly integrated their information-gathering code into two parts of the website and had knowledge of how Macy's e-commerce site functioned, security firm RiskIQ said in a Dec. 19 analysis.

"The nature of this attack, including the makeup of the skimmer and the skills of the operatives, was truly unique," said Yonathan Klijnsma, head researcher with RiskIQ, in his analysis. "I've never seen a skimmer so meticulously constructed and able to play to the functionality of the target website."

The Macy's breach is the latest success for the broad class of Magecart attackers. In 2018, Magecart groups breached Ticketmaster, Newegg, and British Airways, with seven different groups targeting e-commerce sites and skimming customer information, according to threat intelligence firm RiskIQ. In 2019, attackers hit Macy's, SixthJune, and the American Cancer Society, and the number of Magecart groups researchers were tracking ratcheted up to 16. 

The groups are not unified and run the gamut from state-sponsored intelligence operations to low-level criminals using downloaded tools, according to RiskIQ. Some groups use automated tools to hit as many vulnerable sites as possible. One group — labeled Group 4 — uses obfuscation and targeting to try to blend into the victim's website's files. Another — Group 5 — tries to compromise third-party suppliers.

Yet the combined activity of all these groups has caused major breaches this year and hundreds of millions in fines, because many companies found themselves the target of fines under European Union's newly minted General Data Protection Regulation (GDPR). One victim, hotel chain Marriott, will likely have to hand over £99 million (US$124 million), while air carrier British Airways could see a £183 million (US$229 million) fine under GDPR.

"Overall, poorly secured sites combined with a few serious vulnerabilities resulted in a very successful year for Magecart threat actors," says Matthew Gluck, a senior analyst with Flashpoint.

The situation is only set to get worse.

Complex Supply Chains, Greater Vulnerability
While code injection and the attackers may have become more sophisticated, the real problem for defenders is that the sites have become more complex as well. In the past, websites were monolithic affairs — a single developer supplied the code or the service to a company. Over the past decade, however, that has rapidly changed. 

"Now websites are much more complex," says Sandy Carielli, principal cybersecurity and risk analyst at Forrester Research. "You are pulling components, many of which you don't own. To a large extent, this has become a supply chain problem."

The extent of the problem is significant. In its "2019 State of the Software Supply Chain Report," Sonatype found that 51% of Javascript components had a known vulnerability and there has been a 71% increase in open source vulnerabilities over the past five years. At one point in October, 2 million websites showed signs of Magecart skimmers

From an e-commerce perspective, the situation also seems dire. E-commerce platform Magento, a common Magecart target, is used by over 1% of all websites, and 3% of those sites are infected with Magecart at any given point in time, according to threat intelligence firm Flashpoint. About 7% of websites use an e-commerce platform, any of which could be appetizing to Magecart groups.

"Targets are plentiful, actors rarely get caught, and infrastructure is relatively easy to tear down and set up," says Flashpoint's Gluck. "These conditions suggest that there is very low risk and high reward for would-be attackers."

A key part of the Magecart framework is the code that skims credit card information from the page. This component is evolving quickly, says RiskIQ's Klijnsma.

"Traditionally, skimmers were made very generic so they can work on 90% of the payment pages," he says. "We now see a more targeted and tuned-in approach. Skimming used to be a bit novel, but as the criminals get more used to the concept, they get better at building skimmers, making them more efficient and more effective."

As in the case of the Macy's compromise, the attackers are also expanding their reach across the website, he says. "One example of this is that we see groups targeting more than just the checkout pages," Klijnsma says. "Valuable information lives in more places than just the checkout page, and criminals realize this. When they build skimmers that blend into the unique construction of their target website, they can skim information from across the site, not just the checkout page."

Know Your Components
To head off Magecart, companies need to patch and make sure that all components come from trusted software developers that are also doing their due diligence. At each step in the development and deployment cycle, businesses should check to make sure that malicious code is not being injected into their websites and applications, says Forrester's Carielli.

"Firms should look at some of their application security tools used in production and see what they have to protect against Magecart types of attacks," she says. "Are there scanning tools out there to search for code injection in your site and your third-party components?"

Companies also need to make sure their sites are updated soon as soon as a patch is available. Some Magecart attacks happen as soon as the attackers can reverse-engineer a patch, says Flashpoint's Gluck.

"Misconfigured and unpatched sites, combined with weak password policies and lack of multifactor authentication, remain at the heart of Magecart activity," he says. "Companies that do not immediately update to new Magento versions are often susceptible to attack."

With significant fines costing any company that fails to adequately guard their site and their customers' data, protecting against Magecart type attacks should be a priority for any business.

Yet Carielli warns that Magecart is just one of the threats that could lead to a large fine. Companies should make sure they select defenses that best protect them against the broad range of issues they are facing.

"Magecart would certainly be one of the high-cost, high-fine attacks that we will see, but considering that we are dealing with European data breach regulations, other types of breaches and data loss will also continue to be a significant threat," she says.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights