The Magecart Mess

F5 Miniatura
Published July 01, 2019

As we head into summer with BBQs, baseball games, and backyard fun, don't be too surprised if you find yourself wondering what the #1 root cause of retail, tech, and manufacturing breaches was in the last year. According to F5 Labs, it’s Magecart.

What is Magecart? Magecart is really a term given to a group of cybercrime units. At least a dozen groups are responsible, and each have their own specialty. For instance, Group 5 is implicated in the Ticketmaster attack in 2018. But this type of attack has been happening since 2014, starting with Group 1.

The group started by exploiting vulnerable servers or compromising shopping cart pages. They would change the content, code, and scripts with their own malicious software to steal credit card and personal data.

They’ve advanced to a point where they can now skim payment information through a web code injection attack delivered through third-party ad services. Attackers will compromise an advertising service and inject malicious code. The compromised JavaScript library is then loaded on the ecommerce website that the ad service serves. While customers are entering their credit card info, the skimmer is working in the background to steal the data. Once that’s captured, you know the routine, it is stored on a server and communicated back, goes to underground sellers/buyers, they either purchase goods or restripe a blank, and you have no idea what happened.

Ticketmaster (as mentioned earlier), New Egg, Sotheby’s, and British Airways have all been victims. In fact, with Ticketmaster, they themselves were not directly breached but their third-party supplier was compromised. The custom JavaScript module made for Ticketmaster was replaced with the digital skimmer code. But they weren’t the only ones. Hundreds of sites have been compromised this way.

Compromising third-party systems is a great way to gain access to a target. Often, they are smaller companies with less layers of security. And they have direct access to the target. Remember those days where attacks came in via a backend network connection that wasn’t properly segmented or secured with some authentication? Kinda the same, except it is digital ads now. Let someone else do the delivery for you.

Digital card skimming is appealing to criminals since there is a high chance of success and it is relatively easy. Other attacks require things like malware or direct compromise or even social engineering to be successful. There is time, effort, and sometimes expertise required. And, the success rate in comparison to Magecart is lower. Why not go for the easy grab with high profit?

The other reason it is successful is that it is almost impossible for the customer to detect. While you are in the emotional throes of excitedly entering your payment info for free shipping, the skimmer is invisibly hovering over the field to grab your data. Traditionally, skimmers were physical ‘add-ons’ to things like ATMs, gas pumps, and checkout kiosks. It could be something covering the actual insert, or a thin membrane designed to blend into the machine. You can thwart these physical threats by taking a good look at where you enter your card or run you finger across the slit to feel anything out of the ordinary. In the digital case, it is virtually invisible. It’s no wonder injection attacks remain at the top of the OWASP Top 10.

The attackers are always iterating on their code to avoid detection. Obfuscation, encryption, and even disrupting and disabling other card skimming software that might already be running on the site. In one case, the script also constantly cleaned the browser debugger console messages to thwart detection and analysis. Group 12’s script goes so far as to check the URL for keywords like ‘billing,’ ‘checkout,’ and ‘purchase’ according to TrendMicro. They even included localization by including the French word for basket, ‘panier,’ and the German word for checkout, ‘kasse.’ Once it notices the targeted strings, the script will start its skim and each victim gets a random number generated to identify them. Once the victim closes or refreshes the browser, another JavaScript event is off sending the captured payment data, the e-tag (random number) and the ecommerce domain to a remote server.

Magecart is a large active threat that could be bigger than the point-of-sale breaches at Target or Home Depot, according to RiskIQ. Although researchers are becoming aware of this risk, it doesn’t mean they’ll be able to detect every attack. The criminals are clever.

Like many security threats, a layered or defense-in-depth approach is key. Obviously patching all servers and segmenting sensitive systems is important. Ensuring all extensions and third-party systems are up to date is as well. It’s also important to make sure the content and files being delivered through a CDN (external source) or other domains haven’t been altered or tampered with. And certainly, a WAF with signatures or rulesets focused on known vulnerabilities being exploited by Magecart can help.

These attacks are always evolving, becoming more sophisticated and looking for new patsies. And supply chain attacks give crooks access to thousands of sites. All at once.

Finally, any breach is a good lesson to regularly check credit card, bank and financial statements for any unusual activity. See it, report it.

If you’d like a more in-depth look at Magecart and other injection vulnerabilities, head on over to F5 Labs for their Application Protection Report 2019, Episode 3: Web Injection Attacks Get Meaner.