Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants, governments, healthcare, critical infrastructure are continuously being targeted with ransomware, Cloud leaks, Supply-Chain, and Payment Card Data e-skimming attacks. Multiple gangs of cybercriminals, including several operating with the blessing of foreign governments, are hard at work breaching merchant cyber-defences using some sophisticated tricks known as “MageCart”. And more often than not, the cybercriminals are wining.
Types of e-Commerce Breaches
There are two main types of breaches: active thefts and unintentional leaks
Active Theft - Criminals interested in stealing credit cards are always innovating attacks to get at easily monetized data as quickly as possible and at scale. As most of the world moved to EMV, major point of sale breaches appear to be easing, and card-not-present transactions became an increasingly tempting target. Shopping carts, their linkage to payment pages, and widespread misconceptions about scope, compliance footprints, and appropriate security mechanisms relating to these systems provided a perfect opportunity for cyber-criminals.
Unintentional Leaks - While typical leaks will include things like lost unencrypted media and misconfigured cloud storage, there is an often overlooked area. There is an entire sub-industry of web replay and analytics providers using tools and techniques to collect keystroke by keystroke data and replay entire web sessions. Systems using these tools can be easily misconfigured and often exfiltrate unintended data. In some cases, the tools transmit data unencrypted. And many third-party analytic services are not PCI DSS compliant (See Learn More below).
What is MageCart?
How Does it Work?
MageCart groups innovate and continuously adapt to improve their methods. Some of the techniques used include reclaiming expired domains, spoofed websites, look-alike (homoglyph) domain names, plugins, mass exploitation, code obfuscation, evasion techniques, unsecured AWS S3 buckets, and advertising servers tainted with malicious images and metadata.
As an example of this type of innovation, the evolution of Artificial Intelligence (AI) and Machine Learning (ML) are being leveraged to find new ways to exploit systems. Researchers recently demonstrated how to smuggle malware inside of machine learning models.
Who’s been breached?
MageCart attacks and techniques make regular appearances in our weekly [in]Security news summary and have been covered in nearly 1 in 3 of our issues and over 40 significant breaches to date.
Active since at least 2015, MageCart groups have compromised hundreds of thousands to potentially millions of websites. Often, these groups compromise large numbers of sites through third parties in the hope of snaring a subset of lucrative payment sites. MageCart groups have been implicated in a number of high-profile breaches including British Airways, Ticketmaster, Braintree/Paypal, Newegg, Macy's, Forbes, Sotheby's, The Atlanta Hawks, Smith & Wesson, Salesforce Heroku, NutriBullet, Tupperware, the Olympics, Click2Gov Cities, Volusion, hotel chains, and charities.
Typically in these situations, the third-party service providers bear the load of responsibility and are held accountable for larger web security issues within their environment. However, brand damage is still a major risk.
MageCart is a classic arms race between criminals and legitimate businesses. The current PCI guidance helps but is not sufficient because the controls are not designed to protect against all aspects of this threat. There are hopes for improvements in the upcoming PCI DSS v4.0, but no details have been made public so far. Organizations should not rely on PCI guidance alone to solve Magecart and should look to industry best practices to help ensure comprehensive controls are in place. Beyond PCI there are open standards and initiatives such as Content Security Policy, Subresource Integrity, and tools like URLscan. There are also a number of commercial solutions claiming to help (See Learn More below).
MageCart attacks are a major risk to e-commerce. The techniques exploiting e-commerce sites are constantly evolving, adapting, and improving. Many high-profile organizations have been breached. Current PCI DSS controls and guidance are not designed to stop the methods used by these groups. Additionally, there is a tremendous potential for MageCart type attacks to compromise ecosystems beyond payments and e-commerce.
- The DSS, MageCart, and the DOM – Part 1: The PCI DSS e-Commerce Rules https://controlgap.com/blog/PCI-MageCart-DOM-Part1
- The Control Gap Weekly [in]Security News Roundups https://controlgap.com/blog?tag=insecurity
Search for insecurity articles about magecart:
- The ease of MageCart supply chain attacks https://www.forbes.com/sites/jasonbloomberg/2019/01/06/cybercrime-so-simple-anyone-can-do-it/
- What is known about the upcoming PCI DSS v4.0 https://controlgap.com/blog/PCI-DSSv4-is-Coming
- PCI and Retail ISAC joint advisory https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_08012019
- Visa on expanded e-commerce threats https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf
- PCI Security Standards Council bulletin on the threat of online skimming to payment security https://www.pcisecuritystandards.org/pdfs/PCISSC_Magecart_Bulletin_RHISAC_FINAL.pdf
- The Threat of Online Skimming to Payment Security https://blog.pcisecuritystandards.org/the-threat-of-online-skimming-to-payment-security
- FBI Issues Payment Card Skimming Warning https://www.bankinfosecurity.com/fbi-issues-payment-card-skimming-warning-a-13292
- TicketMaster https://www.zdnet.com/article/ticketmaster-breach-was-part-of-a-larger-credit-card-skimming-effort-analysis-shows/ and https://www.theregister.co.uk/2018/12/12/ticketmaster_denies_fault_website_magecart_infection/
- NewEgg https://techcrunch.com/2018/09/19/newegg-credit-card-data-breach/
- Atlanta Hawks https://www.cnet.com/news/hackers-hit-atlanta-hawks-with-malware-stealing-credit-card-information/
- Macy’s https://threatpost.com/macys-data-breach-linked-to-magecart/150393/
- Smith and Wesson https://www.darkreading.com/threat-intelligence/smith-and-wesson-is-magecarts-latest-target/d/d-id/1336505
- Hotel Booking Sites https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/
- Tupperware https://www.zdnet.com/article/tupperware-website-hacked-and-infected-with-payment-card-skimmer/
- Olympic Tickets, Euro 2020 Tickets, BePrepared.com, Augason Farms https://threatpost.com/olympic-ticket-survival-sites-hit-by-cyberattack/152648/
- American Cancer Society https://www.bankinfosecurity.com/skimming-malware-found-on-american-cancer-society-webstore-a-13321
- PrisimWeb/PrismRBS https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/
- Click2Gov https://threatpost.com/8-city-gov-websites-magecart/156954/
- Various small mostly Magento merchants https://www.zdnet.com/article/keeper-hacking-group-behind-hacks-at-570-online-stores/
A series of articles from Princeton on web replay privacy risks:
CSP and SRI:
- Content Security Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- Subresource Integrity https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- Some CSP challenges https://www.darkreading.com/attacks-breaches/why-csp-isnt-enough-to-stop-magecart-like-attacks/a/d-id/1337226 and https://www.helpnetsecurity.com/2020/05/14/myths-magecart-attacks/
- URLscan free service to scan and analyze websites https://urlscan.io/
- Checking for 3rd party Magecart with just a browser and URLscan https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/anyone-can-check-for-magecart-with-just-the-browser/
Commercial Solutions we are aware of in alphabetical order:
- Ensighten’s MarSec https://www.ensighten.com/solutions/supply-chain/
- Imperva’s Client-Side Protection https://www.imperva.com/blog/imperva-prevents-client-side-attacks-like-formjacking-and-magecart/
- Jscrambler https://blog.jscrambler.com/how-to-protect-your-organization-from-magecart/
- PerimeterX Code Defender https://www.perimeterx.com/products/code-defender/
- RapidSpike https://www.rapidspike.com/security-magecart-detection/
- Reflectiz https://www.reflectiz.com/why-your-web-application-firewall-waf-will-not-help-against-third-party-website-attacks
- ScriptWatch https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/
Note: The list of solutions above is not complete nor have we evaluated or compared their effectiveness or cost (i.e. it's just a list for further investigation and not a recommendation).
Evasion, Infection, and Exfiltration
- Not just Magento https://www.riskiq.com/blog/labs/magecart-beyond-magento/
- Supply chains https://www.riskiq.com/blog/labs/cloudcms-picreel-magecart/
- Plugin exploitation https://threatpost.com/magecart-cybergang-targets-0days-in-third-party-magento-extensions/138547/
- Mass exploitation https://www.forbes.com/sites/leemathews/2019/10/11/over-18000-websites-infested-with-magecart-card-skimming-malware/
- MageCart via S3 buckets https://www.wired.com/story/magecart-amazon-cloud-hacks/
- IFRAME MITM on attack against Braintree/Paypal https://www.perimeterx.com/resources/blog/2020/new-stealth-magecart-attack-bypasses-payment-services-using-iframes/
- MageCart Group Switches Up Tactics with MiTM, Phishing https://threatpost.com/magecart-variant-tactics-mitm-phishing/150628
- Skimmer acts as payment service provider via rogue iframe https://blog.malwarebytes.com/cybercrime/2019/05/skimmer-acts-as-payment-service-provider-via-rogue-iframe/
- Credit card skimmers are now being buried in image file metadata on e-commerce websites https://www.zdnet.com/article/your-credit-card-information-is-now-being-stolen-through-image-files/
- Domain spoofing https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https
- Reused domains https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/ and https://www.riskiq.com/blog/labs/magecart-reused-domains
- Homoglyph (look alike character) attacks https://www.zdnet.com/article/magecart-group-uses-homoglyph-attacks-to-fool-you-into-visiting-malicious-websites/
- MageCart Hackers Now hide PHP-Based Backdoor In Website Favicons https://thehackernews.com/2021/05/magecart-hackers-now-hide-php-based.html
- Favicons Found Housing Credit Card Skimming Malware on myicons dot net target Magento sites https://www.scmagazine.com/home/retail/favicons-found-housing-credit-card-skimming-malware/
- Ads https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/
- Group 5 looking to inject malicious ads from public Wi-Fi routers https://threatpost.com/magecart-group-targets-routers-behind-public-wi-fi-networks/148662/
- Crooks abuse Google Analytics to conceal theft of payment card data https://arstechnica.com/information-technology/2020/06/google-analytics-trick-allows-crooks-to-hide-card-skimming/
- Evasion techniques https://gwillem.gitlab.io/2018/10/04/magecart-tripwire/
- Researchers hid malware in AI/ML Machine Learning models https://www.schneier.com/blog/archives/2021/07/hiding-malware-in-ml-models.html
- Inside MageCart: Cybercrime and the Assault on E-Commerce https://www.riskiq.com/blog/external-threat-management/inside-magecart/
- MageCart group 4 update https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/
- MageCart group 7 update https://www.riskiq.com/blog/labs/magecart-makeframe/
- AOT FIN6 and Volusion deep dive https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/
- North Korean hackers linked to web skimming (MageCart) attacks https://www.zdnet.com/article/north-korean-hackers-linked-to-web-skimming-magecart-attacks-report-says/