Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack.

Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only takes one line of code to steal payment card data.

Magecart attacks can compromise a piece of third-party software from a VAR or systems integrator. Recently, they’ve been infecting a variety of supply chain processes.

Let’s take a closer look at this malicious attack vector and how it has evolved over time. Later, we’ll explore ways you can protect your business and customers from Magecart attacks.

Magecart: Just One Line of Code

Back in 2015, Magecart made global headlines with a series of high-profile attacks targeting some big names in air travel, ticketing and retail.

In the classic Magecart attack, threat actors insert a single line of malicious code, such as a JavaScript sniffer. Once installed, whenever a user lands on the compromised website’s shopping cart or checkout page, the code downloads the JS sniffer. From there, attackers can intercept any information entered onto the page and send the data to the attacker.

This type of credit card number decoder attack is also known as a credit card skimmer, digital skimmer, web skimmer or formjacking.

Magecart can skim anything entered into an online data form, such as card numbers, expiration dates, CVC codes, names, addresses, phone numbers, email addresses and so forth. This data can then be used for identity theft or fraud. In other cases, it ends up for sale on the darknet.

Moving to Third-Party Targets

At first, Magecart targeted specific businesses, large and small alike. More recently attackers have pivoted to target advertising supply chains. Researchers have detected skimming scripts on thousands of websites of all kinds, from flight booking services to retail, cosmetic, health care and apparel companies.

In this version of the attack, instead of specific businesses, threat actors target vendors that supply code that enhances website functionality. For example, web-based ad software suppliers work with thousands of clients. This means the vendor spreads the infected code for the attackers without knowing about it.

Anyone relying on a third-party vendor for part of their website code is at risk. If you drop in code for analytics, you might also insert Magecart payload into your website.

More recently, attackers have even used hosting services as vectors to infect client sites with Magecart. Attackers also cloak malicious code by hiding script in the metadata of image files or authentic CSS files. As a detection technique, some even seek an online steganography decoder service in an attempt to reveal hidden code.

Magecart Supply Chain Threat

As mentioned, for every third-party software vendor there might be another Magecart attack. For instance, a single vendor can provide ticketing, touring and booking services to hundreds of clients. Next, attackers could compromise any kind of media or entertainment site due to infected code. Infected content could also arrive through a content delivery network (CDN). In essence, any website that engages in transactions online or that collects user data could be breached by Magecart.

When Magecart first appeared in 2015, the primary target was open-source Magento e-commerce platforms. Today, the threat is more and more expansive across a wide variety of software categories. One multi-functional script was discovered to be skimming data from a whopping 57 different payment platforms.

Ant and Cockroach Skimmer

Magecart groups most often use the ant and cockroach technique. It involves the following:

  • Separate ‘loader’ and ‘skimmer’ code
  • Checks to target URLs linked to checkout pages with developer tools disabled
  • “Radix” obfuscation technique disguises skimming code
  • Attackers often make slight tweaks to malicious code to avoid detection.

Magecart attacks continue to increase in scope and sophistication. E-commerce and supply chain businesses face increasing pressure to protect their websites against these threats.

Stopping Magecart Attacks

While there’s no magic bullet to prevent skimming attacks, there are some tools and strategies that can help improve and harden your security.

Zero Trust

Consider adopting a zero-trust approach with JavaScript on your sites. This begins with a policy to block access by default to any sensitive information entered in web forms and stored cookies. From there, only a select set of vetted scripts (mostly ones that you author and/or own) is allowed to access sensitive data. If malicious skimming code does infect your site, it’s less likely to access any of the sensitive information.

Third-Party Risk Management

Directed third-party risk management creates a centralized, tightly mapped structure of third-party risk hierarchy including risks, controls, locations and regulations. These models support third-party categorization based on risk, criticality and other factors. Configurable methodologies can assess and score inherent and residual third-party risks. This includes capturing detailed vendor risk data, including severity, impact, mitigating plans and other issues.

Subresource Integrity

Subresource Integrity enables browsers to verify that the resources they fetch are delivered without unseen manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

Subresource Integrity enables you to mitigate attack risk by ensuring that the files your web application or web document fetches (such as from a CDN) have arrived without a third-party having injected any additional content or changes into those files.

Content Security Policy

Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting and data injection attacks. These attacks are used for everything from data theft to site defacement to malware distribution.

Protect Your Business & Customers

The worst thing you can do is pretend like Magecart attacks don’t exist, or think you can’t be affected. If you use third-party software to collect data on your site, it pays to look into protection efforts against Magecart.

More from Data Protection

How Application Allowlisting Combats Ransomware Attacks

5 min read - Ransomware attacks are on the rise in both volume and sophistication. Triple extortion (a ransomware attack on one business leading to extortion threats on its business partners) is raising the cost of attacks. Ransomware-as-a-Service puts the means to attack in the hands of smaller criminal entities, making the tactic a commodity and not just the tool of masterminds. It’s no surprise that ransomware attacks are now substantially more expensive to recover from than other types of data breaches. Keeping attackers…

5 min read

As Data Gravity Goes Up, are Clouds Becoming Black Holes?

4 min read - The more data in one place, the more data it attracts. This “data gravity” is a familiar function for enterprises, even if the term isn’t. As the number of applications hosted on local servers increases, so too does the amount of data necessary for them to operate. Add more data and more applications are required to manage this data. Over time, the cycle repeats again and again as data gravity builds. Now, this gravity is shifting to the cloud. With…

4 min read

How Do Some Companies Get Compromised Again and Again?

3 min read - Hack me once, shame on thee. Hack me twice, shame on me. The popular email marketing company, MailChimp, suffered a data breach last year after cyberattackers exploited an internal company tool to gain access to customer accounts. The criminals were able to look at around 300 accounts and exfiltrate data on 102 customers. They also accessed some customers’ AIP keys, which would have enabled them to send email campaigns posing as those customers. This data breach attack wasn’t especially noteworthy…

3 min read

Why Data Security is the Unsung Hero Driving Business Performance

3 min read - In the digital economy, data is like oxygen — giving life to innovation. And just as important, data security establishes the trust needed for that data to deliver value. In fact, organizations with the most advanced security capabilities delivered 43% higher revenue growth than peers over a five-year period, according to research from the IBM Institute for Business Value (IBM IBV). Yet, when corrupted or exposed through cyberattacks, data can fuel disruption. The cost of a data breach averaged almost…

3 min read