You may have heard talk about a shadowy entity called ‘Magecart’. You may know that whatever or whoever this ‘Magecart’ is, it’s not good, but you may have other questions: who or what are they, what do they do, and how can you defend against them? This article shall attempt to answer those questions.
Magecart is an umbrella term given to a variety of cyber criminal groups, unified in seeking the same target: payment card details. Where once upon a time skimming card details required inserting specialist hardware into a cash machine slot, the prevalence of e-commerce has presented a far easier and lower-risk avenue for cyber criminals to achieve their goals. The threat is unlikely to go away any time soon: ‘the rewards are too great, the hurdles too low, and the consequences largely non-existent’, write the authors of the 2019 joint RiskIQ–Flashpoint report that detailed seven of these groups.
Magecart currently consists of at least 12 distinct groups, each with slightly similar methodologies. Whilst e-commerce card skimming has been a problem since the early 2000s, the modern Magecart movement appears to have begun with Group 1 in 2014/15. Group 1 (and the possible-distinct Group 2) campaigns are distinguished by ‘cast[ing] a wide net for targeting, likely using automated tools to breach and skim sites.’ The two groups also ‘trick[ed] U.S.-based job seekers into shipping items purchased with the stolen credit card numbers to Eastern Europe’.
To demonstrate the range of modi operandi utilised by Magecart groups, Group 5—believed to be behind the recent breaches of Ticketmaster—compromise upstream extensions used with e-commerce software like Magento, injecting their skimmers by means of a supply chain attack. Group 12 use a similar method, successfully loading their software onto 227 e-commerce sites following the compromise of a third-party Javascript library owned by a French online advertising company.
Group 6 appear to be among the most bold so far, with the aforementioned report describing them as ‘extremely selective, only going for top-tier targets, such as British Airways and Newegg’—referring to the late 2018 breach of the airline that compromised around 380,000 booking transactions, ‘including bank card numbers, expiry dates and CVV codes’.
In addition, there is evidence that the number of groups is both increasing, and that newer groups are attempting more damaging attacks. Group 11, believed to be behind the November 2018 breach of VisionDirect, use a skimmer that is also capable of stealing admin. credentials, potentially putting not just e-commerce sites, but the entire companies behind them at risk. Despite their similarities in targets and approaches, there is evidence that the different groups are engaged in competition, with Group 9’s code having been observed detecting whether Group 3’s is previously installed, and poisoning the payment card data it skims if so.
Whilst ‘there is no silver bullet in preventing web-skimming attacks, but there are still measures that can be taken to mitigate the risks.’ Auditing extensions and rigorously vetting your supply chain coupled with comprehensive logging will both reduce the chances of Groups 5 or 12-style attacks succeeding and help you to detect and respond to an attack that does make it through. Regular vulnerability scans and quarterly penetration tests, as well as restrictive user access control will also help you to remain secure against this developing threat.
