Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/28/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Magecart Shops for Victims as E-Commerce Market Grows

In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.

Magecart, the e-commerce threat behind security breaches at Ticketmaster, British Airways, and other prominent targets, remains a top concern among researchers: In 2.5 hours, one security expert discovered more than 80 e-commerce sites actively under the control of Magecart groups.

For the report "In Plain Sight II: On the Trail of Magecart," conducted by Aite Group and commissioned by Arxan Technologies, researchers explored the broad attack surface available to cybercriminals when e-commerce apps aren't properly protected. The study, released today, analyzes the trail of servers compromised by Magecart groups, as well as the servers where attackers send data.

Magecart is an umbrella name given to different crime syndicates targeting payment websites, inserting malicious code, and lifting payment card data. It's not a new threat, but it is growing alongside the popularity of more secure payment methods like Apple Pay, Android Pay, and contactless cards. Magecart groups monetize data via Dark Web markets and shipping scams.

Alissa Knight, senior cybersecurity analyst at Aite Group, discovered the cell of 80 actively compromised websites and found 100 more actively compromised sites in additional research, as part of this July study. Some of the targeted websites were victims of more than one group, she discovered. Aite Group and Arxan worked with federal law enforcement to alert the 80 victims of their findings, as well as the staging sites used to collect their stolen information. 

A lack of security controls can expose Web applications to formjacking, an increasingly popular type of attack in which Magecart groups inject e-commerce checkout forms with malicious code that sends shoppers' credit card information to an external server under adversaries' control. Unsecured sites make it easy for attackers to debug and read JavaScript or HTML5 in plain text.

Magecart groups can break into target systems in a number of ways, but formjacking is the most common, says Aaron Lint, chief scientist and vice president of research with Arxan. Other methods include exploiting the Web server or container to inject code, exploiting a coding bug in first-party or third-party code, and hijacking an open source library or third-party component.

"While 25% of the websites are reputable brands, the disturbing thing is how many medium-sized and smaller businesses are getting caught in Magecart's web," Lint continues. "Any website that conducts financial transactions or collects user credentials is a target." Victims ranged from luxury fashion retailers to motorcycle manufacturers and children's learning websites. These target companies were spotted across the United States, Canada, Europe, and Asia-Pacific.

The most common similarity in the victim websites Knight discovered is the use of e-commerce platform Magento. "All of the sites running Magento are running old versions that are vulnerable to an authenticated upload and remote code execution vulnerability that has published exploits available," the report states. The most recent edition of Magento is version 2.1.7; however, many of the compromised websites were running versions 1.5, 1.7, or 1.9.

Arbitrary file upload, remote code execution, and cross-site request forgery all affect version 2.1.6 and below. These versions make it easier for adversaries to inject formjacking code. All of the victim websites lacked in-app protection, such as tamper detection and code obfuscation.

What You Can Do
The potential financial damage of Magecart continues to grow as e-commerce does. A separate pool of research estimates global e-commerce will rise 20.7% to reach $3.53 trillion. By 2021, it's expected to approach $5 trillion. Lint anticipates the continued growth of the e-commerce market will drive the continued evolution of Magecart attacks.

If a target makes it difficult for cybercriminals to act, their attackers will move on. Researchers advise organizations to implement multiple layers of security so as to cause friction for adversaries, and to create a regular patch and vulnerability management policy for applications like Magento and Shopify to ensure they're updated as new releases are made available.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ebyjeeby
50%
50%
ebyjeeby,
User Rank: Strategist
8/29/2019 | 4:16:07 PM
What, no names?
We need names of sites so we know which ones to avoid!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.