Magecart is a group of unscrupulous hackers who make up a consortium in order to steal information online from customers payments cards. They target shopping carts from systems like Magento, where a third-party piece of software is compromised from a systems integrator, or a VAR or an industrial process can be infected without being picked up by IT. This is known as a supply chain attack.

An online shopping cart is an extremely valuable target to a hacker due to the fact that all the payment details from customer’s cards have already been collected and are sat waiting in one place for a hacker to come along with their malicious malware and take it right out of the cart. Virtually all ecommerce websites do not thoroughly vet the code which is used by these third- parties, therefore making the job of a hacker quite simple using their sophisticated malware.

Magecart has been present on the internet since 2016 and is becoming more and more prolific. It was featured in Wired Magazine on their list of Most Dangerous People On The Internet in 2018 following an analysis by RisqIQ which showed that Magecart was creating hourly alerts where websites were compromised by its skimmer code.

Magecart was recently said to be placing payment skimming card scripts on the sites of MyPillow.com and AmeriSleep.com. Other attacks carried out by Magecart includes;

Ticketmaster’s UK Operations (January 2018), British Airways (August 2018), NewEgg Electronics Retailer (September 2018), Shopper Approved (September 2018), Topps Sports Collectable Website (November 2018), Atlanta Hawks Fan Merchandise Online Store (April 2019), together with hundreds of college campus bookstores (April 2019) and Forbes magazine subscribers (May 2019)

Magecart works by taking a piece of Javascript code and substituting it in one of two ways. It can alter the Magento source or it can use an injection to redirect the shopping cart to a website containing the malware. 40 different exploits using injection codes have been discovered by researchers and unfortunately, the only way this can be detected is by analysing the whole of the ecommerce code stack checking each and every line to pick up any changes.

An attack can be carried out by a hacker by hosting their malicious malware by using an unused GitHub project to which they upload their code. Once this is done, they take over the project and their code containing the malware is published, which enables the speedy spread of the transformed code to be implemented into hundreds and thousands of websites.  The code from GitHub may not always be scanned, therefore this criminal activity can be carried out without being noticed.

When British Airways was hacked by Magecart it was found by the RiskIQ report that they had masterminded the attack specifically to British Airways system. RiskIQ reported that the skimmer was extremely knowledgeable about how that particular payment page was set up, therefore, highlighted that the scammers must have specifically worked out how to carry out an attack on British Airways rather than just injecting the regular Magecart skimmer.

RiskIQ produced another report which showed that after Madgecart’s first attack on MyPillow’s website, Madgecart continued to gain access to their site even after MyPillow had quickly picked up on, and removed this previously, infected malware. Magecart went on to develop another style of attack by placing a skimmer on MyPIllow.  They targeted the LiveChat adding a new script tag that matched the usually inserted script tag. Then carrying on even further by taking the returned standard script from the real LiveChat, proxying it, and adding the skimmer code below it.