by Source Defense

A new report on payment card fraud shows that a Magecart e-skimmer infected nearly 10,000 unique eCommerce domains at any point during 2022.

According to the Annual Payment Fraud Intelligence Report by Recorded Future, nearly 60 million compromised payment card records were posted for sale on dark web platforms in 2022, of which 45.6 million were classified as card-not-present (CNP)—meaning they were harvested during an online eCommerce transaction.

“Magecart actors launched campaigns that employed fake payment card forms, exploited legitimate merchant web infrastructure to deploy e-skimmers, and used HTTP referer headers to impede remediation by security analysts,” the report states. “One of these campaigns led to the compromise of 2 online ordering platforms, a trending tactic that exposes merchants who use the platforms to the risk of being compromised.”

Magecart – or Digital Skimming – attacks are designed to skim information entered into payment forms on checkout pages before sending data back to a remote computer controlled by attackers. Attackers accomplish this by compromising the third- and fourth-party Javascript code used by nearly all websites to provide things like online shopping carts, forms, analytics, advertising, social sharing, and much more.

The Recorded Future® Magecart Overwatch program discovered 1,520 unique malicious domains involved in the infections of 9,290 e-commerce domains at any point in 2022. Of these, 2,468 eCommerce domains remained actively infected at the close of 2022. This should come as no surprise as many of the most high profile Magecart attacks went undetected for months and years. 

New Attack Vector Discovered

The report details the discovery of a novel Magecart campaign in which a malware server used the HTTP referrer header in requests to limit the download of malicious scripts. The attackers injected links to malicious Javascript files into eCommerce shops, but the server hosting these files only sent the malicious scripts when:

  1. HTTP referrer headers were present; and
  2. Their value reflected the infected eCommerce websites.

According to the report, this technique was likely designed to impede security analysts during remediation efforts.

Hackers continued to exploit Google Tag Manager (GTM) containers during 2022. GTM is a legitimate web service used for marketing, collecting website usage metrics, and tracking customer online behavior. Researchers discovered a total of 891 eCommerce domains that were infected by these Magecart variants.

Top Breaches in 2022

The highest impact compromises in 2022 targeted outsourced online ordering solutions for restaurants and ticketing services, according to the report. 

  • MenuDrive and Harbortouch, both of which are online ordering platforms for restaurants, were targeted by a single Magecart campaign that resulted in e-skimmer infections for 154 restaurants.
  • InTouchPOS, an online ordering platform, was targeted with a Magecart attack that resulted in e-skimmer infections of 157 restaurants.
  • Core Cashless, an online ticketing platform used by amusement parks, suffered a client-side attack that exposed payment card transactions from 45 amusement parks.

One of the main reasons for the consistent use of Magecart e-skimmer attacks is the predictable results that hackers can expect. In 2022, for example, the average website targeted by this attack served 5,215 monthly visitors with a conversion rate of 2.5% to 3%. 

“If threat actors collect between 130 and 160 cards per month from each of their infected websites and then sell them at an average price of $15 per compromised card, they could easily earn between $1,950 and $2,400 per month per infected website,” the report states. “This enables them to amass substantial criminal profits without sinking time and effort into fraudulent monetization.”

Make Magecart Attacks a Thing of the Past

The Source Defense Client-Side Web Application Security Platform is an all-in-one, single,  and scalable system built for complete threat visibility, control, and prevention of client-side attacks. With this one-of-a-kind technology, client-side threats are stopped in their tracks without your teams needing to lift a finger. Source Defense uses a prevention-first approach and real-time JavaScript sandbox isolation and reflection to prevent client-side attacks without alerting analysts. 

Source Defense uses real-time JavaScript sandboxing technology to create virtual pages that isolate the 3rd party scripts from the website. The virtual pages are an exact replica of the original ones, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original one. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the website owner, alerting them of the 3rd party scripts violating their security policy. 

This is as close to ‘set it and forget it’ security and data privacy that you will see on the market.

Cybersecurity analysts can rest easy at night — and engage in valuable activities during the workday — knowing that a critical portion of their job is being efficiently and automatically managed. Ultimately, the Source Defense platform offers a simple way to manage the 3rd party risk in your digital supply chain and prevent attacks from the client side.

Waiting to act is simply waiting to be attacked. Visibility is the first and most important part of any risk mitigation program. Source Defense is ready to provide you with a free website risk analysis within the next few days. Get moving with the Source Defense team to close of this open gap in your eCommerce security.  

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.