At over two million detections to date, exploiting the infrastructure of shopping sites to steal payment card data is unlikely to end in the near future.

These attacks are collectively called Magecart, and multiple groups, some more advanced than others, are currently in the sector.

We target online payment forms and steal data on their card while checking out, a cybercrime operation called web skimming. This is achieved by loading the JavaScript checkout code to copy payment data and send it to the database of the attackers.

It is possible to get the software from the check-out page by breaking the site directly or by manipulating a third-party Web tool loaded on the website such as an analytics script or a customer support widget.

Millions of identified Magecart cases

RiskIQ states in a report published today that the first Magecart threat they encountered was on 8 August 2010. The trend only began last year when British Airways, Ticketmaster, OXO and Newegg were struck.

Since then, some hackers have developed hundreds of skimming scripts and infect thousands of websites with card information. More than 960 stores were compromised in one automated attack alone.

RiskIQ reports that millions of users may have been affected by the risk of Magecart. Their telemetry data indicate a total of 2,086,529 Magecart detections instances.

According to the agency, the highest peaks of Magecart detections are supply-chain attacks.

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites” – RiskIQ

Group 5 is the most active and advanced of all Magecart groups monitored by security scientists. We rely on third party companies, such as SociaPlus and Inbenta website analytics providers, and skim payment details on hundreds of websites.

The unsecured and inaccurate Amazon S3 buckets are also the targets, as they often store resources that are used by a wide range of domains. One actor looked at them and streamlined the process of discovery and negotiation to affect over 17,000 areas.

Since the project began in early April this year, RiskIQ has tracked the S3 bucket compromise and reported alarming statistics: over 18,000 hosts injecting AWS from Magecart.


Security technologies are monitored by attackers

Most Magecart groups that still rely on RiskIQ are shopping on the Magento website, the main goal when these attacks started to escalate. The attackers are also of particular interest to OpenCart.


Attackers track the growth of these cart platforms closely, and the weaknesses found in one of them are usually followed by a rise in the number of victims.

The background of the victim is changed when a patch is released and applied. The following figure shows how the number of victims varies according to safety changes in Magento.


Take every chance

While the above information clearly show how widespread Magecart is, they don’t tell the complete story about the phenomenon because the risk actors are always looking for new ways to spread their web scripts.

RiskIQ detects a new set of goals, as “Magecart groups often exploit innovative ad script tags to use digital ad networks to simultaneously generate traffic on their skimmers ‘ thousands of sites.” Of all the malicious ads the company has found that 17% are spreading the threat from Magecart.

The average time of a violation is 22 days on average. The explanation is that many victims do not know that JavaScript is loaded maliciously from their website.

New Magecart actors should appear because Magecart is so ubiquitous that its technology is a common occurrence. Many of them are handled by responsible security parties to ensure that traffic does not hit the wrong guys by the offenders.

The malicious domains used to provide the web skimming code and/or collect card information are taken for that purpose. The bad news is that many of these domains end up being posted as the registrar takes them off-line and keeps them.

Since many Magecart scripts remain active on victims ‘ websites, malicious actors buy and restart their operation on their published domains.

Researchers from the IBM X-Force Incident Response and Intelligence Services (IRIS) released a report last week about Magecart Group 5’s card-stolening scripts that are inserted into websites by commercial routers that provide WiFi in public areas such as airports, hotels, casinos and resorts.

One script, “test4.html,” has software to communicate with commercial Layer 7 routers that can provide WiFi connectivity once a captive portal has been used and sets other requirements, such as pay for the service or display advertisements.

Another script reveals that the actor attempts to exploit Swiper, a JavaScript open source library used by around 300,000 users, to make websites designed for online and mobile devices compliant.

Add a few protections

Ending these events may not be feasible at the moment, but it is possible to reduce their intensity. The Content Security Policy (CSP) allows merchants to search for third-party content authenticity, allowing JavaScript to be loaded from the trusted list of domains and block the attachers ‘ domain.

Subresource Integrity (SRI) is another alternative, which prevents the loading of modified JavaScript code by verifying a valid resource hash cryptograph.

Consumers have little option to keep Magecart secure. Browser plugins that block JavaScript load aid in the cases of untrusted websites, but with those that are already whitelisted they are not useful.

A more sophisticated solution which has obvious weaknesses for the average user is to block connections to the attackers ‘ domains and IP addresses.

Categorized in: