As we head into summer with BBQs, baseball games, and backyard fun, don't be too surprised if you find yourself wondering what the #1 root cause of retail, tech, and manufacturing breaches was in the last year. According to F5 Labs, it’s Magecart.
What is Magecart? Magecart is really a term given to a group of cybercrime units. At least a dozen groups are responsible, and each have their own specialty. For instance, Group 5 is implicated in the Ticketmaster attack in 2018. But this type of attack has been happening since 2014, starting with Group 1.
The group started by exploiting vulnerable servers or compromising shopping cart pages. They would change the content, code, and scripts with their own malicious software to steal credit card and personal data.
Compromising third-party systems is a great way to gain access to a target. Often, they are smaller companies with less layers of security. And they have direct access to the target. Remember those days where attacks came in via a backend network connection that wasn’t properly segmented or secured with some authentication? Kinda the same, except it is digital ads now. Let someone else do the delivery for you.
Digital card skimming is appealing to criminals since there is a high chance of success and it is relatively easy. Other attacks require things like malware or direct compromise or even social engineering to be successful. There is time, effort, and sometimes expertise required. And, the success rate in comparison to Magecart is lower. Why not go for the easy grab with high profit?
The other reason it is successful is that it is almost impossible for the customer to detect. While you are in the emotional throes of excitedly entering your payment info for free shipping, the skimmer is invisibly hovering over the field to grab your data. Traditionally, skimmers were physical ‘add-ons’ to things like ATMs, gas pumps, and checkout kiosks. It could be something covering the actual insert, or a thin membrane designed to blend into the machine. You can thwart these physical threats by taking a good look at where you enter your card or run you finger across the slit to feel anything out of the ordinary. In the digital case, it is virtually invisible. It’s no wonder injection attacks remain at the top of the OWASP Top 10.
Magecart is a large active threat that could be bigger than the point-of-sale breaches at Target or Home Depot, according to RiskIQ. Although researchers are becoming aware of this risk, it doesn’t mean they’ll be able to detect every attack. The criminals are clever.
Like many security threats, a layered or defense-in-depth approach is key. Obviously patching all servers and segmenting sensitive systems is important. Ensuring all extensions and third-party systems are up to date is as well. It’s also important to make sure the content and files being delivered through a CDN (external source) or other domains haven’t been altered or tampered with. And certainly, a WAF with signatures or rulesets focused on known vulnerabilities being exploited by Magecart can help.
These attacks are always evolving, becoming more sophisticated and looking for new patsies. And supply chain attacks give crooks access to thousands of sites. All at once.
Finally, any breach is a good lesson to regularly check credit card, bank and financial statements for any unusual activity. See it, report it.
If you’d like a more in-depth look at Magecart and other injection vulnerabilities, head on over to F5 Labs for their Application Protection Report 2019, Episode 3: Web Injection Attacks Get Meaner.