When online shopping became a common form of commerce, hackers were quick to follow, creating a variety of attacks aimed at getting their hands on valuable user information. The one currently defined as a top threat is Magecart, which also targets online shopping carts and eCommerce checkouts. 

There are currently at least 7 hacking groups associated with Magecart attacks, each using its own tactics and targets. In this blog post, we’ve decided to match this number and present 7 crucial pointers that will help you better understand and protect your website from such attacks. 

Pointer #1: Knowledge is power – learn what Magecart is (and isn’t)

It’s easy to get confused over the meaning of this term, as it has changed over time. Previously, Magecart denoted the specific malware that was deployed by one of the first hacking groups back in 2016. Today it stands for a more general hacking method which affects millions of users and costs billions of dollars. 

Simply put, Magecart hackers are thieves with an impressive name and a hoodie. They normally target websites that perform a lot of transactions, stealing credit-card information – an action also known as skimming or, more recently, Formjacking. Then they usually sell this information on the dark web. Some Magecart groups may target smaller websites with a higher level of vulnerability, while others focus on bigger fish and greater sums of money. 

Pointer #2: Understand exactly how it’s done 

Magecart groups manage to skim their way into websites by compromising the website’s trusted  3rd party partners, modifying their JavaScript code, leveraging on their unmanaged and protected connections directly to the client-side browser. The unmanaged implemented code allows attackers to gain full developer-level (DOM) access to all the data provided throughout the session. Attackers are free to modify the code as they please, while the website’s owner remains completely in the dark, unable to monitor and/or control how the 3rd party interacts with users. 

The maliciously implemented code normally goes into effect during checkout (although hackers can interact with users at any point). This was the case for Ticketmaster customers in June 2018. Whenever users make a purchase, the code is out there, lurking and collecting data. The original website continues to work and the purchase is completed, but a copy of the payment form (hence Formjacking) is sent to the hacking group – and the rest is awful history.  

Pointer # 3: Here is what makes supply-chain hacking so attractive to hackers

The 7 hacking groups we know of today are sure to be joined by others, as this form of cyberattack rapidly grows in popularity. Every website, no matter how secure, becomes exposed to these attacks once it collaborates with 3rd party JavaScript suppliers, as most websites tend to do. 

Magecart attacks are hard to detect, which is one reason hackers love them so much. Website owners are often completely oblivious to the damage that is being done, and even when these attacks are eventually discovered, it’s easy for hackers to simply move on to the next target.

Pointer #4: Get a full grip on the risk potential

Magecart attacks target both the website code and 3rd party suppliers with which the website collaborates. This puts everyone’s reputation and customers at risk. Because these attacks are so difficult to track and prevent, it’s extremely challenging for websites to reassure customers and encourage online transactions.

When hackers attacked the Delta Air Lines website, for example, they did so through the company’s online chat service. Payment information was compromised, and passengers feared that personal data such as passport details were collected as well, although the company stated otherwise. We also recommend you read this item in order to broaden your perspective on the financial and business risks associated with Magecart attacks. 

Pointer #5: There’s a lot you can learn from previous attacks

By closely observing and mapping the groups behind Magecart attacks, we can learn a lot about their preferred methods and targets, and see how Magecart attackers evolve over time. In some cases, for example, we might witness a more “boutique” approach in which the attack is tailored to fit one website in particular. The reason behind this evolution is simple: hackers follow the money. 

Based on previous cases, we also know that sometimes months can go by without anyone noticing the security breach, as was the case for Topps.com. An investigation revealed that the site had been under an ongoing, active attack for several months. Hackers abuse 3rd party server vulnerabilities to compromise the JavaScript sent to all their client’s, and skim credit cards for long periods of time before they are caught.

In some cases, we’ve learned that while major company websites are highly attractive to hackers, they may still choose to target smaller websites. They can even go back and attack the same site over and over again. Techrabbit’s website, for example, suffered two different attacks, only three weeks apart. In fact, the latest Internet Security Threat Report published in February 2019 by Symantec shows that 20% of websites cleansed from Magecart attacks are reinfected. 

Pointer #6: Pay attention to Formjacking

It’s easy for many to get confused and consider Formjacking a new type of cybersecurity threat. In fact, it’s just a new name for the infamous Magecart attacks, recently coined by Symantec in their recent Internet Security Threat Report. The report also rated Magecart / Formjacking as today’s top cyber threat, overthrowing the five-year reigning ransomware from the top of the list. This says a lot about the volume and risks of Formjacking / Magecart attacks. The report also stated that 4,818 unique websites were affected by Formjacking attacks each month during 2018. 

Pointer #7: Research available protection methods and decide which is right for your website 

Magecart and Formjacking attacks expose major vulnerabilities in online retailers’ security efforts. We can clearly see that website owners fail to invest adequate resources in protection for themselves and their customers. The alert levels and efforts surrounding them need to meet the new standards hackers have created for the entire industry. 

Since these attacks make detection that much harder, websites need to look for ways to safeguard their website and ensure they are fully aware when compromised, and have an effective preventive solution ready. We’ve addressed some key questions you have to ask when evaluating protection options in this recent blog post, which can be useful to review. Generally speaking, websites must realize that simply implementing technology that controls the access of 3rd party suppliers is not enough to fully prevent Magecart and Formjacking attacks. Instead, they need to seek out tools that provide bulletproof, real-time prevention

We can expect Magecart and Formjacking attacks to continue evolving and changing as security methods manage to better expose and prevent them over time. More groups might join the game, and chances are that we’ll never have a dull moment. But the relatively good news is that as these attacks become more popular and dangerous, online retailers also become more aware and willing to take substantial action to prevent them. With this growing will to take action, and with security experts’ tools and tactics, we can win this game, one attack at a time. 

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Scroll