Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/11/2019
10:30 AM
Casey Quinn
Casey Quinn
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Getting Up to Speed on Magecart

Greater awareness of how Magecart works will give your company a leg up on the growing threat from this online credit card skimmer. Here are four places to start.

If you're not yet familiar with Magecart, you should be. On May 3, it was revealed that hackers used it to steal payment info from hundreds of online college bookstores. By some estimates, Magecart attacks have resulted in the theft of more credit card information than the high-profile breaches at Home Depot and Target. Beyond the college bookstores, it has hit the likes of Ticketmaster, British Airways, My Pillow, and Newegg in the last year alone. It's time you got up to speed on the topic.

Magecart (pronounced like "age-cart," but with an "m" at the beginning) is a method used to attack the payment systems of online vendors. It is a credit card skimmer (like those attached to the magnetic stripe readers at gas pumps) that intercepts card numbers and information when a payment card is swiped at the point of sale. The data is then saved or transmitted to be used illegally later. However, unlike at the gas pump, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, even for knowledgeable IT professionals, because it takes advantage of universal code and other applications not typically related to payments.

Since first appearing in 2014, Magecart has been adapted by several different groups and for various targets. Each iteration tries to adapt to whatever defenses it encounters and seeks to exploit new vulnerabilities, making it difficult to effectively predict and stop. Leading researchers, like Yonathan Klinjsma, believe the various Magecart breaches have been carried out by at least 12 different groups since the method was first used and have noticed the groups moving beyond credit cards to steal credentials and administrative information as well.

Generally speaking, payments over the Web are relatively secure, with vendors using PCI DSS-compliant systems. As companies look to cut costs and increase efficiency, many use open source code to simplify the coding process and make it more uniform across the board. Others use third-party vendors to handle their payment systems. Although not necessarily bad ideas, these solutions present enterprising hackers with an opportunity to exploit common weaknesses and employ the Magecart attack.

The Newegg.com Breach
Despite not yet being a household name, Magecart is a growing problem. Last year's breach involving Newegg.com illustrates what Magecart does and how it works. According to Volexity Threat Research, on August 13, 2018, the Magecart attackers registered a domain name called neweggstats.com (indicating that the Newegg website was likely compromised beforehand). That same day, the attackers obtained an SSL certificate enabling the new domain to have an air of legitimacy when browsers communicate with it. The skimming started three days later when hackers added eight lines of malicious code to the payment page and continued for almost a month before it was removed.

More specifically, the Magecart attackers inserted malicious JavaScript code on a single page presented during checkout. To get to that page, a customer had to put an item in the cart and input shipping information. At that point, the customer was taken to the payment page that contained malicious code. Once the customer input their information, it was transferred to a Magecart drop server where the back end of the skimmer saved the information. Once attackers accumulated a significant amount of credit card information (about 500,000 credit card numbers), they listed it for sale on underground markets.

Not surprisingly, Newegg revealed little about how exactly it was compromised. Regardless of whether it was poor IT security protocols, bad password management, or human error, if Newegg had tighter controls, this might have been avoided. It appears that whatever security protocols Newegg had in place failed to identify that a breach occurred for nearly a month. The Magecart attackers certainly made a significant effort to ensure that their actions were not obvious, but it is fair to say that the attack went on longer than it should have.

Protecting Your Company
A seemingly endless supply of online retailers and unassuming consumers who are relying on third-party code or other similar systems to facilitate purchases means Magecart is likely to remain a threat. But being aware of Magecart and how it works should give your company an advantage in protecting itself as you consider the following four measures:

1. Reevaluate your current cybersecurity infrastructure. Your system probably already includes some type of logging and a way for reviewing it, but would you, or your IT team, know if a hacker added eight lines of code to your website's payment page? Regardless of the answer, it is always good practice to regularly ensure that your cybersecurity system is prepared for current threats.

2. Is your IT team aware of what Magecart is? Do they know how they would respond? Do you have a cybersecurity incident response plan in place? The way it developed, it appears Newegg found out about the breach from someone else and then had to be reactive instead of proactive. If a researcher contacted your company to alert you about a breach, would you know what to do? Do you have a plan in place for evaluating any damages and communicating about the situation to your customers?

3. Carefully consider the vendors you use for your business (both online and offline), especially with regard to public facing critical systems like the checkout page. Strive to ensure that your vendors have their own cybersecurity response plan in place and are doing all they can to avoid needlessly exposing your data.

4. Avoid payment methods that require transmittal of critical credit card information. Visa has addressed this with a token system in its Visa Checkout system. While it may not be a perfect solution, it is one that removes the exchange of credit card numbers at checkout and that can protect both you and your customer.

Related Content:

Casey Quinn is an associate in Newmeyer & Dillion's Las Vegas office, and a member of the firm's privacy & data security practice. Casey brings his substantial experience in complex business litigation to the table helping businesses proactively navigate the legal landscape ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13643
PUBLISHED: 2019-07-18
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the...
CVE-2019-13644
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
CVE-2019-13645
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.
CVE-2019-13646
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.
CVE-2019-13647
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.