Most business owners will be aware of the idea of a credit card skimmer: a physical device placed on ATMs for the purpose of stealing card details.
The idea of a digital version of such technology – a web skimmer – shouldn’t be hard to imagine but what would it look like, how would it work and what would the implications be for businesses?
Well, we don’t have to guess or predict because such skimmers have already been used to great effect by a hacker collective referred to as Magecart. This article charts the evolution of Magecart from its rudimentary beginnings as a basic script inserted into small online ecommerce stores to a sophisticated fraud operation targeting the biggest corporates.
We also look at what damage Magecart could do to your business and how to mitigate that threat.
Early Origins as a Magento Script
It was in early 2015 that cybersecurity company RiskIQ began receiving reports of customer card details being stolen from ecommerce stores. These stores had one thing in common: they used the open source Magento platform. RiskIQ named the hacker group (now thought to be at least half a dozen different groups) Magecart and began investigating the compromised sites.
They found that the compromised sites contained a fairly basic piece of embedded JavaScript code. The script would use a RegExp test to identify whether the website contained the Magento Firecheckout module and whether the user was on the checkout page. If the result came back true, once the customer had entered their card’s expiry date (the last field in the card entry form), the script would collect the information from all form fields, combine it into a single data set and then exfiltrate the data to a database on a C2 server.
RiskIQ published their findings in October 2016 but the response was underwhelming.
Cashing Out: The Reshipping Operation
The collection of card data was only the first part of a wider criminal operation. While some card details were simply sold via online dump shops (the data skimmed from a credit card is referred to as a dump), others were used to buy high value goods from Amazon and other online stores.
These orders were delivered to US addresses before being shipped on to eastern Europe. Those shipping the goods tended to be innocent mules who had unwittingly responded to adverts looking for Russian speakers to set up reshipping businesses.
How did RiskIQ uncover this fraud? One of the destination servers for the stolen data hosted a reshipping website complete with ‘agent login’ function.
In July 2017, RiskIQ again published their findings, connecting the basic credit card exfiltration with the integrated reshipping scam they had now exposed. This second report was taken more seriously by the payment card industry and law enforcement who realized that something had to be done.
How Magecart Has Evolved to Take on Big Corporates
Meanwhile, Magecart’s business model was evolving.
Clearly not content with the amount of work they were putting in for relatively slim pickings, Magecart moved away from targeting small Magento sites. Instead, the hackers began to look around for third-party services which could be used as a back door into bigger targets.
With limited or non-existent security teams, these service providers proved easy to hack, giving Magecart access to their servers. From there, Magecart were able to modify the JavaScript elements which they had embedded in their clients’ websites and apps. Some of the affected services included web analytics, push notifications, chatbot-based IT support and ecommerce hosts. One of the hacked service providers, an ecommerce hosting platform called Clarity Connect, even received threatening messages originating from their own servers after they found and removed the scripts.
In 2017 Magecart struck gold. One of their victims, SocialPlus, happened to be plugged into the TicketMaster ecosystem. Once they had sunk their fangs into this rich stream of data, Magecart dug deeper, compromising another third-party service used by TicketMaster, this one provided by Inbenta Technologies.
To help avoid detection of their scripts, Magecart concealed them using an obfuscator.
In 2018, British Airways announced that they had been attacked with up to 380,000 customers having their card details and PII stolen. When an employee admitted, in an interview, that malicious code had been added to the website and app, ears pricked again at RiskIQ who took on the daunting task of crawling billions of BA websites to locate the script in question. Once again, they found a web skimmer script but this time highly customized to blend seamlessly in with the BA website experience. The 22 lines of code even included instructions for logging both mouse and touchscreen actions which meant that the customers using the BA app, which pulled content directly from the compromised webpage, would also trigger the script.
How a Magecart Breach Could Affect Your Business
A Magecart breach is not to be taken lightly given the ramifications for businesses of all sizes.
The British Airways example should serve as a warning to business of the potential financial consequences of a Magecart attack. The UK information regulator, the ICO, acted within the rules of the EU’s General Data Protection Regulation (GDPR) by imposing a hefty £183m ($230m) fine on the company.
Meanwhile, lawyers continue to prepare the groundwork for group legal action against TicketMaster. Then there is the financial impact of an inevitable loss of trust from existing and potential customers.
Security Tips to Protect Sensitive Data from Magecart
The first thing to consider is whether you might have been breached already. Chances are you will use at least one third party service on your website and you shouldn’t assume that just because everything is working as planned, you don’t have a problem. As IT support Los Angeles services provider DCG Inc. explains: ‘cybercriminals are now moving from the obvious detectable cyberattack techniques to techniques that are more sinister and undetectable.’
If an attack is suspected, IT security specialists should be able to clean up the doctored scripts. They should also be able to determine whether the issue is due to your own servers being compromised or that of a third party partner. You can then either patch the server vulnerabilities or stop using the affected third party.
Leading client-side security solutions can help protect users from Magecart by providing real-time visibility of malicious code and preventing third-party resources from executing malicious scripts whether these are hidden within an app or on a website. Other types of software can monitor websites for changes to scripts which is one of the techniques used by RiskIQ to detect malicious script injection.
How do you prevent the malicious scripts being injected in the first place? Unfortunately, if a third-party service is hacked, there is no infallible way of protecting yourself. The best you can do is work on gaining complete visibility of client-side threats. It is also prudent to outsource third-party vetting to a company that provides professional IT consulting. Los Angeles firm DCG Inc. explains how important it is to, ‘implement strict security measures when partnering with outside firms.’
At the time of writing, Macy’s had become the latest high profile victim of Magecart. Given the malware’s evolving design and Magecart’s interest in websites which process high volumes of debit and credit cards, they are unlikely to be the last.
