Skip to main content

A year of data infection over protection - the rise of Magecart

(Image credit: Image source: Shutterstock/deepadesigns)

Data breaches continued to dominate the headlines despite 2018 being the year data protection entered mainstream consciousness. Implementation of the General Data Protection Regulation (GDPR), the biggest change to data protection legislation in decades, brought cyber security to the forefront of businesses’ thinking.

Yet, data breaches persist at a near consistent rate. Organisations are faced with an ever-evolving threat landscape, but one important cyber security threat continues to wreak havoc for e-commerce companies. According to RiskIQ’s Black Friday E-commerce Blacklist report, Magecart has been identified as being behind at least 319,678 instances in 2018 alone. Shockingly, it also identified many of these were high-profile brands, such as Ticketmaster and Newegg.

Magecart is an umbrella term given to at least seven cybercrime groups – inserting malicious JavaScript code to collect consumer card data at website checkouts. These attacks, known as a Digital Payment Card Skimming and formjacking, could be catastrophic for businesses as they expose customers’ sensitive Personally Identifiable Information (PII), which carries heavy fines under the GDPR legislation.

Considering the alarming rate at which digital credit card skimmers are found to be compromising e-commerce sites, what do businesses need to know about Magecart? Why are these attacks becoming even more frequent and what can be done to reduce the risks? Understanding the Magecart threat could help prevent e-commerce businesses being the next Magecart victim.

Magecart “the thriving criminal underworld”

Yonathan Klijnsma, a threat researcher who has tracked Magecart for more than a year, described the group as “the thriving criminal underworld that has operated in the shadows for years”. Many e-commerce companies will simply not have heard of Magecart. However, Magecart is thriving, with RiskIQ claiming to receive hourly alerts of new websites compromised by its malicious JavaScript code.

Magecart groups are cyber-criminal gangs targeting the e-commerce space by identifying and using known server vulnerabilities and injecting card payment skimming code into websites. The code collects credit card numbers, names and security codes on an attacker-controlled server, often for months before being discovered. This data is sold to criminal gangs on the dark web for a lucrative profit.

The group’s danger lies in its ability to adapt and lay undiscovered within the organisation’s IT system. Traditionally, hacking groups have used generic code, testing for weaknesses in organisations until succeeding. Magecart has recently opted for ‘personalised malware’ – malware created with a specific victim in mind and modified to attack the intended victim’s particular infrastructure. Magecart’s adaptability means it also uses third-party tools as a root into a company’s system, as seen with the Ticketmaster breach. However, in the case of the Newegg breach, the actual website server was directly comprised with Magecart integrating with its payment system, ostensibly becoming part of the company’s infrastructure. This way, Magecart find success, as firstly, it’s harder for the business to spot data theft and secondly, by having script sitting on a website, card CVV numbers can be easily captured.

In all these cases Magecart lay undetected for months, meaning victims could not act while Magecart collected masses of customer data, therefore speed to action will be essential. Most countries already have existing data protection acts in place to safeguard PII data and the trend globally has been to strengthen the protection of these rights. With the introduction of GDPR, and the imminent introduction of the California Customer Privacy Act (CCPA), and already established regulations such as Payment Card Industry Data Security Standard (PCI DSS), damage limitation and incident response are key. Acting swiftly and having a prevention strategy in place will reduce the impact of any regulatory sanctions, or brand impact. The stakes could not be higher for e-commerce businesses. Gemalto recently found that 70 per cent of consumers would stop doing business with a company if it experienced a data breach. Worryingly, recent Ensighten research found that nearly half (46 per cent) of enterprises believe they’re on the brink of a website breach.

The current state of play

Part of the reason for Magecart’s success is the wide-scale adoption of JavaScript, used by an estimated 92 per cent of all websites in 2016. JavaScript is used to deploy third-party technologies and services onto a website. This helps improve the customer experience, offer the company insights into how users are interacting with them via their digital channels, and enable enhanced performance measuring and personalised experiences. However, these benefits have led to many sites relying heavily on third-party JavaScript.

Third-party technologies are given a high level of trust, having access to the client side of the website, thereby allowing access to everything that happens in the browser, including customer data. This ‘all access’ attribute has enabled hackers to manipulate the JavaScript code being served by a third-party supply chains or directly through the business’ web servers to inject malicious code.

Get rid of the infection and turn eyes towards protection

With a firm understanding of Magecart we can look at prevention to help protect businesses against Magecart and attacks associated with it. This starts by turning eyes inward to your organisation and asking the following questions:

  • Do you know which third-party vendors are operating on your website? How do you guarantee this?
  • Can you ensure that third-party technologies on your site can’t capture sensitive information? How do you go about this?
  • Can you ensure that the end script is the one which is permitted? How can you double check this is still the case?
  • Can you control what content is being loaded into the third-party requests? If an unvalidated script was accessing card payment details on your site, would you be able to immediately stop it?

If there’s any uncertainty or doubt on any of the above, security strategies must be reviewed, and action taken immediately. Try scanning and monitoring your website to see which third-party JavaScript is operating on the site, where it's being loaded from and what pages these scripts are on. Only once this is done can businesses whitelist and enforce which third-parties and scripts operate on their websites.

However, information security strategies are a constant evolution. So, whilst the above is a starting point, security professionals must also use Website Data Leak Prevention and marketing security solutions, so that if a trusted third-party script is compromised you can prevent any alterations to your site and stop any leaks before they take place. 

If 2018 was Magecart’s coming out party, 2019 can be the year the e-commerce industry strikes a blow to the group’s activities. These relatively simple cyber threat measures could be the difference between a thriving business, and one facing debilitating GDPR and PCI DSS sanctions.

Ian Woolley, Chief Revenue Officer, Ensighten (opens in new tab)
Image source: Shutterstock/deepadesigns

Ian Woolley is the Chief Revenue Officer at Ensighten. Ensighten is a Data Privacy and Omni-Channel Data Management company working with global enterprises (including 50 per cent of Global Fortune 500’s commercial banks and computer software companies) in data security, governance and management.