The NTIC Cyber Center assesses with high confidence that profit-motivated cyber threat actors will increasingly leverage Magecart attacks against vulnerable ecommerce sites to steal payment card data and sell it through online black markets or use it to conduct fraudulent financial transactions. Chip-enabled payment cards and modern card-present payment processing systems have significantly deterred financial fraud and payment card data theft at physical retail locations. As a result, cyber threat actors are increasingly turning to ecommerce platforms to skim customer payment data. Magecart attacks have historically targeted organizations across multiple sectors and industries; thus, any organization that facilitates online payments using ecommerce platforms is at risk of compromise and potential financial liability resulting from associated data breaches.
Magecart is an umbrella term that encompasses prevalent profit-motivated hacking campaigns targeting vulnerable ecommerce websites, the malicious code used in these campaigns, and the criminal groups conducting this activity. First perpetrated in 2014, Magecart attacks targeted ecommerce websites built using Magento, an open-source ecommerce platform written in the PHP programming language. The first Magecart campaigns compromised Magento sites by employing brute-force attacks or using stolen login credentials to gain initial access to targeted websites. Over time, Magecart tactics, techniques, and procedures (TTPs) evolved to include targeting third-party plugins and conducting scans to identify vulnerable websites. Magecart threat groups have also expanded their range of targets to include ecommerce sites built on other platforms including OpenCart, OSCommerce, and PrismWeb. The number of groups conducting these attacks has also increased, with some experts estimating that there are at least seven currently active groups that have collectively compromised the ecommerce platforms of more than 110,000 merchants to date. Magecart attacks facilitate the exfiltration of data such as names, addresses, payment card numbers, card verification value (CVV) codes, expiration dates, and other information from forms on compromised websites.
Magecart attacks present an ever-increasing challenge to businesses, website administrators, and customers. The attack methods are difficult to detect, making them an attractive choice for cyber threat actors seeking to target payment card information on ecommerce platforms. Additionally, Magecart threat groups are often quick to identify and exploit unpatched zero-day vulnerabilities. The demand for stolen payment card data appears to be growing as well, as security researchers note a reduction in supply of payment card data and an increase in the average price per card on underground marketplaces, likely a result of merchants’ adoption of more secure chip-enabled payment technology to reduce fraud associated with card-present transactions.
Recent Magecart Incidents
In August 2018, online electronics retailer Newegg suffered a Magecart breach after cyber threat actors injected malicious code into the website’s payment processing page. The cyber threat actors registered and used the malicious site neweggstats[.]com as a drop server to seamlessly blend into Newegg’s checkout infrastructure. This attack may have facilitated the theft of personal and payment card information belonging to millions of customers.
In April 2019, cyber actors breached the Australian ecommerce website of clothing company Puma through either an unpatched vulnerability or a breached third-party component. Cyber actors perpetrated the attack using an advanced skimming technique involving polymorphic code compatible with numerous local currency payment systems.
How Magecart Attacks Work
Cyber actors may leverage techniques such as PHP Object Injection (POI), SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), Local File Extension (LFE), or Remote File Execution (RFE), or other vulnerabilities for this purpose.
Cyber actors are known to “crawl” target sites in advance to profile checkout processes, probe for vulnerable extensions, or examine third-party plugins.
Once write access is obtained, the cyber threat actor modifies application source code by inserting a data-skimming script. This script is often difficult to identify as it is frequently obfuscated, written to mimic Google Analytics code, or comprised of polymorphic code containing innumerable decoy keywords or commands that change each time the code is run.
The code directs the victim’s browser to scrape and send data from checkout forms to a website or remote drop server accessible to attackers. To reduce suspicion, cyber threat actors frequently register and use a drop server domain that looks similar to a legitimate domain, allowing any anomalies in the code to go undetected upon a cursory review. Cyber threat actors may even obtain an SSL certificate for the drop server domain to give the appearance of legitimacy.
Attackers collect stolen credentials from the drop server and use them to perpetrate fraudulent activity or sell through online black markets and forums.
Recommendations to Mitigate the Risk of a Magecart Attack
The NTIC Cyber Center strongly recommends all organizations using ecommerce platforms implement a robust and layered security strategy to identify and manage risk posed by Magecart attacks. Administrators of ecommerce websites are encouraged to review the following list of recommendations to help reduce the risk of compromise:
Ensure that all administrator accounts associated with ecommerce websites, including cPanels, website analytics platforms, and ecommerce platforms, are secured with lengthy, complex, and unique passwords and multifactor authentication, if possible.
Implement Subresource Integrity (SRI) configurations to instruct browsers to only fetch resources with a predetermined cryptographic hash value. This acts as a checksum for browsers to verify that libraries loaded from third-party sources have not been modified.
Simplify checkout pages and avoid using third-party scripts on any page that records sensitive data to isolate payment forms from possible abuse by external plugins or scripts.
Scrutinize all third-party scripts and investigate any unexpected presence of obfuscated scripts.
Perform quality controls to confirm legitimacy of all external domains referenced in the website’s source code.
Consider implementing a reputable web application firewall (WAF) to protect websites against XSS, SQLi, path traversal, and other types of external attacks. Some WAFs advertise the ability to detect when dynamic analysis is performed on – or unauthorized changes are made to – a web application.
Employ code obfuscation tools and techniques to protect front-end code and make analyzing and modifying web applications difficult.
Maintain awareness of current and emerging threats and vulnerabilities by subscribing to associated security bulletins and implement patches for plugins and extensions as soon as possible.
Work with third party vendors to ensure vulnerable or unprotected plugins and extensions are patched and kept up-to-date.