by Source Defense
A new report by Recorded Future’s Insikt Group reveals a concerning rise in Magecart attacks and e-skimming activity targeting online retailers. The research highlights how cybercriminals are evolving their tactics to bypass traditional, rather antiquated client-side security measures such as Content Security Policy (CSP) and compromise e-commerce platforms at an alarming rate.
Magecart Attacks Skyrocketing
The digital landscape of e-commerce security has shifted dramatically over the past year, revealing a perfect storm of vulnerabilities and sophisticated attacks. As researchers delved into the data, a troubling picture emerged of cybercriminals adapting faster than many retailers can defend.
The most striking revelation came in raw numbers: Magecart infections skyrocketed by 103% in just six months. This isn’t a gradual uptick—it’s a tidal wave of attacks flooding the e-commerce space. Behind this surge lies a complex web of factors contributing to the growing threat.
In February 2024, a critical vulnerability in Adobe Commerce sent shockwaves through the industry. Dubbed CVE-2024-20720, this flaw became a golden ticket for cybercriminals. They wasted no time, swiftly exploiting it to inject fake Stripe payment skimmers into countless Magento-based websites. It was a stark reminder of how quickly the digital underworld can weaponize newly discovered weaknesses.
But the story doesn’t end with known vulnerabilities. The underground economy has been busy innovating, and a new player entered the scene: “Sniffer By Fleras.” Sold for a mere $1,500 on dark web forums, this user-friendly e-skimmer kit lowered the barrier to entry for aspiring cyber criminals. The result? Between March and July 2024, threat actors used Sniffer By Fleras to infect at least 488 e-commerce websites.
E-Skimming Tactics
While the core methods of e-skimming have mostly stayed the same, the techniques for deploying and hiding these malicious scripts have evolved significantly. “E-skimming has remained relatively consistent in recent years, with only minor advancements in the core scripting methods employed by cybercriminals,” the report states. “However, the methods used to construct the e-skimmer scripts have continued to adapt, as have the obfuscation techniques used to disguise them.”
Gone are the days of simple, direct injections. Today’s attackers are craftier. “Actors continue to move away from the injection of e-skimmer URLs directly into websites, opting for loader scripts that deobfuscate the e-skimmer URL upon execution,” according to the report. “Even loaders that inject the e-skimmer URL into the page are being phased out and replaced with loaders that retrieve the script from the e-skimmer URL and execute it directly.”
They’re also getting creative with their injection points. “HTML tags capable of embedding client-side scripts are becoming the injection point of choice for malicious actors.”
Perhaps most concerning is the continued abuse of trusted services. “We continue to see abuse of free services, such as Amazon CloudFront, Google Tag Manager (GTM), and Telegram Bot API, within the Magecart attack chain,” researchers stated. “These services are used for hosting loaders and e-skimmer scripts, and in the case of Telegram, serving as the receivers of stolen data.”
By leveraging these legitimate services for hosting and data exfiltration, attackers add a veneer of credibility to their operations, further blurring the lines between benign and malicious activity. Attackers also benefit from the broad capabilities of these legitimate tools to their own ends, rendering traditional blacklisted / whitelisting approaches ineffective.
As security teams race to keep up, they’re finding that traditional detection methods are failing. The sophistication of these new attacks, combined with their ability to blend in with normal website operations, has created a detection crisis. It’s no longer enough to look for obvious signs of compromise—the game has changed, and so must the defenses.
This new research paints a clear picture: the threat of Magecart and e-skimming is not just persisting—it’s thriving. As we move forward, a new approach to client-side security is desperately needed to turn the tide in this ongoing battle for the safety of online commerce.
Magecart Tactics
The rapid exploitation of new vulnerabilities like CVE-2024-20720 underscores the critical importance of timely patching and security updates for e-commerce platforms. However, the complexity of many online retail systems often leads to delays in applying these crucial fixes, leaving attackers with a window of opportunity.
The emergence of easy-to-use kits like “Sniffer By Fleras” is particularly concerning, as it lowers the technical barrier for cybercriminals to launch sophisticated Magecart attacks. This commoditization of e-skimming tools could lead to a further proliferation of these threats in the coming months.
The evolving obfuscation and injection techniques highlight the ongoing cat-and-mouse game between attackers and defenders. As security teams improve their detection capabilities, criminals adapt their methods to stay one step ahead. This constant evolution requires a more dynamic and proactive approach to client-side security.
Client-Side Security
The report predicts that Magecart intrusions are unlikely to slow down in the remainder of 2024. To combat this growing threat, online retailers and security professionals must take a multi-layered approach:
- Prioritize vulnerability management and rapid patching of e-commerce platforms
- Reduce or abandon reliance on Content Security Policy (CSP) as a primary control for eSkimming attacks given the advancing nature or adversarial techniques
- Conduct frequent security audits and monitor third-party integrations closely
- Leverage client-side security controls with advanced behavioral analysis and anomaly detection to identify subtle signs of compromise
- Do not delay, and instead prepare for and implement PCI DSS 4.0 requirements, particularly around script validation and proactive monitoring and prevention
Retailers should also carefully audit any existing security controls, such as CSP, that they may have implemented. These approaches are often implemented incompletely, incorrectly, or are made ineffective because business priorities override security priorities.
As the holiday shopping season approaches, it’s crucial for both retailers and consumers to remain vigilant. Shoppers should monitor their financial statements closely and be wary of any suspicious activity on websites they visit. Retailers must prioritize client-side security as a critical component of their overall cybersecurity strategy to protect their customers and maintain trust in the digital marketplace.
Preventative Measures and Best Practices
To prevent similar incidents, organizations should consider the following:
- Implement advanced, behavioral based eSkimming (Client-Side) Security Solutions: Adopt platforms that offer comprehensive visibility and control over the actions of third party scripts to prevent advanced client-side threats.
- Regular Security Assessments: Conduct frequent risk analyses and penetration testing of web applications.
- Third-Party Vendor Management: Implement strict controls and monitoring for third-party scripts and services.
- PCI DSS v4.0 Compliance: Prioritize meeting the new requirements, particularly 6.4.3 and 11.6.1, well ahead of the March 2025 deadline.
Source Defense offers a powerful solution to these challenges:
- Real-Time Protection: Source Defense’s technology utilizes behavioral based techniques and provides real-time monitoring and protection against client-side attacks, allowing organizations to detect and mitigate threats as they occur. Source Defense defeats supply chain attacks that CSP can’t stop.
- Third-Party Script Management: By offering granular control over third-party scripts, Source Defense helps organizations mitigate the risks associated with external code running on their websites.
- Compliance Support: Source Defense’s solutions align with PCI DSS requirements, particularly 6.4.3 and 11.6.1, helping organizations maintain compliance while enhancing their security posture.
- Behavioral Analysis: Leveraging advanced behavioral analysis, Source Defense can identify and block malicious activities that might evade traditional security measures.
- Reduced Operational Burden: By automating many aspects of client-side security, Source Defense helps organizations enhance their protection without significantly increasing their operational workload.
Implementing a solution like Source Defense can prevent all forms of client-side attacks. As cyber threats evolve, adopting such advanced, behavior-based web application defense solutions becomes not just a best practice but a necessity for organizations handling sensitive customer data.