The Magecart threat looms large for online retailers and their customers, as the criminal groups that have been assigned this collective name are constantly trying out new tricks for stealthily compromising the shops and achieving persistence.
According to security researcher Willem de Groot, the Magecart attackers have become so adept at the latter that many online merchants end up having to clean their shops many times.
“In the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times. This shows that counter measures taken by merchants and their contracted security firms often fail,” he pointed out.
Changing tactics and expanding methodologies
De Groot has been tracking this and other similar threats affecting online shops for years now, and puts Magecart operatives’ success down to a number of tactics.
“Magecart operatives are getting more sophisticated in hiding their presence and ensuring future access. Once an operative gains access to a merchant’s server, it is common to litter the site with backdoors and rogue admin account,” he explains.
They also use reinfection mechanisms such as database triggers and hidden periodic tasks to reinstate their payload, obfuscation techniques to hide their malicious code, and have begun using zero-day vulnerabilities and exploits to gain a foothold on target sites.
Add to this their penchant for hitting many targets at once by compromising third parties that provide them with certain services, and it’s no wonder that the targets are having trouble keeping Magecart groups at bay.
Among the public examples of stores battling with Magecart reinfections are Kitronik and Zapals.
And it’s not just the online shoppers: customer engagement service Feedify, which has been compromised by Magecart to get to hundreds of e-commerce sites, initially found it challenging to boot them from their digital premises.
On average, it takes online merchants nearly 13 days to discover and remove the skimming scripts injected by Magecart. Reinfections typically occur within 11 days.
Another thing that’s good to keep in mind is that the attackers are particularly active during weekends.
While it may be difficult to prevent Magecart from compromising your online shop, detection of injected scripts or any other malicious code change can be made easier and quicker by using automated tools or services designed specially for this.