Protect your organization in the age of Magecart

The continuing wave of attacks by cybercriminal groups known under the umbrella term Magecart perfectly illustrates just how unprepared many e-commerce operations are from a security point of view. It all really boils down to timing. If the e-commerce world was able to detect such Magecart attacks in a matter of seconds (rather than weeks or months), then we could see an end to Magecart stealing all of the cybercrime headlines.

Magecart security

What steps can organizations take then to mitigate against this method of cyber attack? Let’s delve deeper.

Assess your degree of client-side visibility

To avoid the hindsight is 20/20 syndrome, a key first step is understanding how aware you are of what your users are actually getting when they visit your e-commerce platform. You may think that every user will get an identical, safe-to-use version of your website when, in fact, some users may be interacting with compromised web pages and hijacked forms.

It might surprise you to learn that neither business owners or security teams seem to have a definite answer here.

For far too long now, there has been a spotlight on server-side security. Consequently, just about everything that happens on the client-side (for example the browser and the environment where Magecart attacks thrive) is generally overlooked. Based on the information we have gleaned from previous Magecart attacks, it is obvious that there is no sure-fire way of preventing these types of attacks completely. However, a good place to start is to shift our focus and prioritize what is happening on the client-side.

The average Magecart attack remains undetected for 22 days and it only took 15 days for attackers to steal 380,000 credit cards during the British Airways breach. That’s 18 credit cards per minute. This is how you should look at this threat: each minute that goes by while there’s an undetected skimmer on your website means a growing critical business problem.

Third parties are your weakest link

Various Magecart groups use different strategies to breach e-commerce websites. However, most go after the weakest security link: they avoid breaching your servers and prefer delivering malicious code to your website through third parties.

Nearly all websites use one or more third-party solutions: a live chat widget, an analytics tool, or an accessibility service. By doing so, companies end up having almost no control over the security of this externally sourced code. When attackers breach one of these third parties and inject malicious code, this code very easily bypasses firewalls and browser security mechanisms because the attack originates from a source that is trusted by default – in this case, a legitimate third-party supplier.

It’s crucial that you make sure that your business is scrutinizing third-party code and also its supplier’s level of security. Sadly, though, this is not something companies prioritize, as they are concentrated on product development.

And while many businesses are only just now learning about Magecart web skimmers, these skimmers are far from being the first iteration. Over time, skimmers have evolved to include obfuscation techniques to conceal their malicious code and even go as far as using defense mechanisms to avoid being detected by bots, rendering many detection options useless.

Taking decisive action to detect and control Magecart web skimmers

An ever-evolving security mindset is needed here. Businesses should find ways to quickly detect these injected skimmers and swiftly block Magecart attacks. This is preferable to solutions that prevent malicious (unpreventable) code injections.

Whilst third-party management and validation play a good part, they alone are not enough. The key is to look for malicious behavior.

We know that a skimmer always displays at least one sign of malicious activity. For example, a known script like a live chat has no business interacting with a payment form (formjacking). If that happens, it’s an indicator that something may be wrong. Also, if we start seeing a new script appearing in some user sessions, that is also something that warrants further analysis. Sure, it could be harmless – but it could also be a skimmer. Similarly, a network request to a previously unknown domain may be an indication that attackers are trying to exfiltrate data to their drop servers.

It is precisely here where most businesses are deficient. Not only do companies lack client-side visibility, but they also lack proper detection and control capabilities. Taking decisive action against web skimming means being able to detect and control any malicious activity on the client-side in real-time. To this extent, consider a web page monitoring solution, as it brings real-time visibility of malicious code and provides a more effective Magecart mitigation approach.




Share this