Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/11/2019
10:30 AM
Casey Quinn
Casey Quinn
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Getting Up to Speed on Magecart

Greater awareness of how Magecart works will give your company a leg up on the growing threat from this online credit card skimmer. Here are four places to start.

If you're not yet familiar with Magecart, you should be. On May 3, it was revealed that hackers used it to steal payment info from hundreds of online college bookstores. By some estimates, Magecart attacks have resulted in the theft of more credit card information than the high-profile breaches at Home Depot and Target. Beyond the college bookstores, it has hit the likes of Ticketmaster, British Airways, My Pillow, and Newegg in the last year alone. It's time you got up to speed on the topic.

Magecart (pronounced like "age-cart," but with an "m" at the beginning) is a method used to attack the payment systems of online vendors. It is a credit card skimmer (like those attached to the magnetic stripe readers at gas pumps) that intercepts card numbers and information when a payment card is swiped at the point of sale. The data is then saved or transmitted to be used illegally later. However, unlike at the gas pump, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, even for knowledgeable IT professionals, because it takes advantage of universal code and other applications not typically related to payments.

Since first appearing in 2014, Magecart has been adapted by several different groups and for various targets. Each iteration tries to adapt to whatever defenses it encounters and seeks to exploit new vulnerabilities, making it difficult to effectively predict and stop. Leading researchers, like Yonathan Klinjsma, believe the various Magecart breaches have been carried out by at least 12 different groups since the method was first used and have noticed the groups moving beyond credit cards to steal credentials and administrative information as well.

Generally speaking, payments over the Web are relatively secure, with vendors using PCI DSS-compliant systems. As companies look to cut costs and increase efficiency, many use open source code to simplify the coding process and make it more uniform across the board. Others use third-party vendors to handle their payment systems. Although not necessarily bad ideas, these solutions present enterprising hackers with an opportunity to exploit common weaknesses and employ the Magecart attack.

The Newegg.com Breach
Despite not yet being a household name, Magecart is a growing problem. Last year's breach involving Newegg.com illustrates what Magecart does and how it works. According to Volexity Threat Research, on August 13, 2018, the Magecart attackers registered a domain name called neweggstats.com (indicating that the Newegg website was likely compromised beforehand). That same day, the attackers obtained an SSL certificate enabling the new domain to have an air of legitimacy when browsers communicate with it. The skimming started three days later when hackers added eight lines of malicious code to the payment page and continued for almost a month before it was removed.

More specifically, the Magecart attackers inserted malicious JavaScript code on a single page presented during checkout. To get to that page, a customer had to put an item in the cart and input shipping information. At that point, the customer was taken to the payment page that contained malicious code. Once the customer input their information, it was transferred to a Magecart drop server where the back end of the skimmer saved the information. Once attackers accumulated a significant amount of credit card information (about 500,000 credit card numbers), they listed it for sale on underground markets.

Not surprisingly, Newegg revealed little about how exactly it was compromised. Regardless of whether it was poor IT security protocols, bad password management, or human error, if Newegg had tighter controls, this might have been avoided. It appears that whatever security protocols Newegg had in place failed to identify that a breach occurred for nearly a month. The Magecart attackers certainly made a significant effort to ensure that their actions were not obvious, but it is fair to say that the attack went on longer than it should have.

Protecting Your Company
A seemingly endless supply of online retailers and unassuming consumers who are relying on third-party code or other similar systems to facilitate purchases means Magecart is likely to remain a threat. But being aware of Magecart and how it works should give your company an advantage in protecting itself as you consider the following four measures:

1. Reevaluate your current cybersecurity infrastructure. Your system probably already includes some type of logging and a way for reviewing it, but would you, or your IT team, know if a hacker added eight lines of code to your website's payment page? Regardless of the answer, it is always good practice to regularly ensure that your cybersecurity system is prepared for current threats.

2. Is your IT team aware of what Magecart is? Do they know how they would respond? Do you have a cybersecurity incident response plan in place? The way it developed, it appears Newegg found out about the breach from someone else and then had to be reactive instead of proactive. If a researcher contacted your company to alert you about a breach, would you know what to do? Do you have a plan in place for evaluating any damages and communicating about the situation to your customers?

3. Carefully consider the vendors you use for your business (both online and offline), especially with regard to public facing critical systems like the checkout page. Strive to ensure that your vendors have their own cybersecurity response plan in place and are doing all they can to avoid needlessly exposing your data.

4. Avoid payment methods that require transmittal of critical credit card information. Visa has addressed this with a token system in its Visa Checkout system. While it may not be a perfect solution, it is one that removes the exchange of credit card numbers at checkout and that can protect both you and your customer.

Related Content:

Casey Quinn is an associate in Newmeyer & Dillion's Las Vegas office, and a member of the firm's privacy & data security practice. Casey brings his substantial experience in complex business litigation to the table helping businesses proactively navigate the legal landscape ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...
CVE-2019-5144
PUBLISHED: 2019-12-12
A freed memory access vulnerability exists in the SVG Marker Element feature of Apple Safari's WebKit version 13.0.2. A specially crafted HTML web page can cause a use after free, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically craf...
CVE-2019-3951
PUBLISHED: 2019-12-12
Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.
CVE-2019-19767
PUBLISHED: 2019-12-12
The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.