On September 18th, a series of incidents of credit card skimming attack came to light, as first reported by TrendMicro. Magecart was used to hit two booking websites belonging to two different hotel chains.
Both hotel chains operate approximately 100 properties each, in 14 countries. The report described the attacks in great detail, which I thoroughly enjoyed. From the conclusions, it seemed like the compromised websites could not have done anything to prevent the incidents.
Let’s take some time to explain exactly what the hackers did, and why they did it. I will also discuss some of the mitigation options available and explain why traditional methods will NOT work with this type of attack. Ultimately, we’ll discuss the only solution that could have prevented these incidents.
The attack recap and reasons behind what the hackers did:
Who is Magecart?
How Did they Do it…in 5 Steps
- The actual malicious code was delivered by the hackers’ Google Tag Manager account. We can assume that the reason for using the Google Tag Manager was to avoid any CSP or SRI protection on the site. In many cases, we see CSP wrongly mentioned as a solution for Magecart and Formjacking attacks. This simple solution of using a whitelisted domain such as Google, Facebook or any other 3rd party domain is employed by hackers to overcome this obstacle. An SRI would also not work here since the code from Roomleader was legit. Since tag managers are dynamic in nature, even if an SRI was used it wouldn’t be effective.
** Another benefit, from the hackers perspective, of using Google Tag Manager is its ability to send code according to a specific visitor’s profile. Which means, they could have used its native ability to send the malicious code only to visitors from a mobile device instead of writing the system themselves.
Beware of Future Threats
The next evolution of this code can remove the need for the drop server, and uses legitimate whitelisted tools to capture credit card information. For example, using Google Analytics to capture data by sending it as a page view, or using Facebook to publish a comment with the data on the hacker’s Facebook account.
Hackers are constantly trying to thwart detection and another method they may utilize is pushing their code every few thousand page views just to avoid bot detection. The variance can be just random enough that traditional methods won’t establish sufficient protection.
Even SRI would not be effective since the Roomleader code was legitimate and simply called the tag manager; it would have been sealed by the SRI, since the tag manager is dynamic in nature.
So, what could have been the solution?
If a 3rd party is compromised, the virtual page will isolate this behavior and refuse to present it to the visitor. This is actual, real-time prevention where we cut out the 3rd party’s ability to interact directly and maliciously with the page. It prevents data leakage of any kind and allows website owners to gain back control over their users’ website experience.
CSP – Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft through site defacement to the distribution of malware.
SRI – Subresource Integrity (SRI) is a security feature that enables browsers to verify that the resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that must match the fetched resource.
Drop server – the hacker server to which visitors’ information is sent.
Learn more about Magecart attacks.
Learn more on Hadar Blutrich
CTO of Source Defense