Data breaches continued to dominate the headlines despite 2018 being the year data protection entered mainstream consciousness. Implementation of the General Data Protection Regulation (GDPR), the biggest change to data protection legislation in decades, brought cyber security to the forefront of businesses’ thinking.
Yet, data breaches persist at a near consistent rate. Organisations are faced with an ever-evolving threat landscape, but one important cyber security threat continues to wreak havoc for e-commerce companies. According to RiskIQ’s Black Friday E-commerce Blacklist report, Magecart has been identified as being behind at least 319,678 instances in 2018 alone. Shockingly, it also identified many of these were high-profile brands, such as Ticketmaster and Newegg.
Considering the alarming rate at which digital credit card skimmers are found to be compromising e-commerce sites, what do businesses need to know about Magecart? Why are these attacks becoming even more frequent and what can be done to reduce the risks? Understanding the Magecart threat could help prevent e-commerce businesses being the next Magecart victim.
Magecart “the thriving criminal underworld”
Magecart groups are cyber-criminal gangs targeting the e-commerce space by identifying and using known server vulnerabilities and injecting card payment skimming code into websites. The code collects credit card numbers, names and security codes on an attacker-controlled server, often for months before being discovered. This data is sold to criminal gangs on the dark web for a lucrative profit.
The group’s danger lies in its ability to adapt and lay undiscovered within the organisation’s IT system. Traditionally, hacking groups have used generic code, testing for weaknesses in organisations until succeeding. Magecart has recently opted for ‘personalised malware’ – malware created with a specific victim in mind and modified to attack the intended victim’s particular infrastructure. Magecart’s adaptability means it also uses third-party tools as a root into a company’s system, as seen with the Ticketmaster breach. However, in the case of the Newegg breach, the actual website server was directly comprised with Magecart integrating with its payment system, ostensibly becoming part of the company’s infrastructure. This way, Magecart find success, as firstly, it’s harder for the business to spot data theft and secondly, by having script sitting on a website, card CVV numbers can be easily captured.
In all these cases Magecart lay undetected for months, meaning victims could not act while Magecart collected masses of customer data, therefore speed to action will be essential. Most countries already have existing data protection acts in place to safeguard PII data and the trend globally has been to strengthen the protection of these rights. With the introduction of GDPR, and the imminent introduction of the California Customer Privacy Act (CCPA), and already established regulations such as Payment Card Industry Data Security Standard (PCI DSS), damage limitation and incident response are key. Acting swiftly and having a prevention strategy in place will reduce the impact of any regulatory sanctions, or brand impact. The stakes could not be higher for e-commerce businesses. Gemalto recently found that 70 per cent of consumers would stop doing business with a company if it experienced a data breach. Worryingly, recent Ensighten research found that nearly half (46 per cent) of enterprises believe they’re on the brink of a website breach.
The current state of play
Get rid of the infection and turn eyes towards protection
With a firm understanding of Magecart we can look at prevention to help protect businesses against Magecart and attacks associated with it. This starts by turning eyes inward to your organisation and asking the following questions:
- Do you know which third-party vendors are operating on your website? How do you guarantee this?
- Can you ensure that third-party technologies on your site can’t capture sensitive information? How do you go about this?
- Can you ensure that the end script is the one which is permitted? How can you double check this is still the case?
- Can you control what content is being loaded into the third-party requests? If an unvalidated script was accessing card payment details on your site, would you be able to immediately stop it?
However, information security strategies are a constant evolution. So, whilst the above is a starting point, security professionals must also use Website Data Leak Prevention and marketing security solutions, so that if a trusted third-party script is compromised you can prevent any alterations to your site and stop any leaks before they take place.
If 2018 was Magecart’s coming out party, 2019 can be the year the e-commerce industry strikes a blow to the group’s activities. These relatively simple cyber threat measures could be the difference between a thriving business, and one facing debilitating GDPR and PCI DSS sanctions.
Ian Woolley, Chief Revenue Officer, Ensighten
Image source: Shutterstock/deepadesigns