ECommerce platforms are fantastic for their adaptability and personalization. From a retail brand’s first forays into the online space, to a mature organization’s adoption of high-precision customer analytics, there truly is a plug-in for everything. These plug-ins may be excellent for no-code retail brands, but the same reliance on no-code and third-party functionality places these brands – and their customers – in a highly vulnerable position. Magecart attacks can only be prevented with a thorough understanding of web skimming and a Web Application Firewall (WAF).
Web skimming is very similar to its physical counterpart: your card details are stolen so that other people can spend your money. The difference between online and physical skimming is that the online version is far more effective. It’s nearly impossible to trace the criminals responsible for distributing and placing the attacks; it’s harder to detect as the brand takes the flak for the theft; and it’s relatively easy to pull off.
Once a store downloads a Magecart plugin, the plugin will create a backdoor. This grants the attacker administrative control. Once the site is under the control of a perpetrator, malware such as a keylogger is installed in the payment screen. This is connected to an attacker-controlled server, to which it funnels live payment data. The keylogger is totally transparent; neither customers nor the merchant notice any changes. Skimmed credit cards are then sold on tor-hosted marketplaces for $5 to $30 each, after which purchasers will use to their heart’s content.
ECommerce platform Magento became a major target for Magecart attacks in 2015 after a serious, widespread vulnerability was discovered. ‘Shoplift’, or SUPEE 5344, allowed for remote code execution, skipping the initial requirement of a malicious plugin.
Since then, Magecart skimmers have only risen in popularity. Now having been detected on over 2 million global websites, the incidence of attacks increased by over 20% in the early days of the 2020 pandemic.
The British Airways and Ticketmaster Attacks
The largest Magecart attacks in history catapulted the threat to the front pages of the cyber threat landscape. Two separate strikes on British Airways and Ticketmaster in 2018.
A British Airway corporate account was initially compromised, partly due to its lack of 2-Factor Authentication. From there, the attacker progressed to the source code for the BA website and implanted a card skimmer on the general public’s payments page. 380,000 customers had their debit or credit card details stolen in the attack, and BA would later face a fine of £20m for their failure in adequately protecting customer data.
The Ticketmaster attack is somewhat of a misnomer – in a classic case of supply chain attack, Ticketmaster was not directly compromised themselves. Instead, a third-party supplier for their website known as Inbenta was. Inbenta was the provider for Ticketmaster’s brand-new chatbot. This Java-based chatbot was integrated with the site’s payment pages, offering support for customers during the process. When this chatbot was compromised, criminals were able to implant a card skimmer directly into the tool.
Interestingly, the command and control server which the attack relied on had been active since December 2016. This infers that the specific group wielding the Ticketmaster Magecart attack had already benefited from a healthy influx of skimmed cards for years, from potentially hundreds of compromised sites. Following the breach, Ticketmaster was promptly slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK.
The cost of successful Magecart attacks go far beyond ruined customer trust: protecting your customer’s data has never been more important, and regulatory bodies are more than willing to pin fines on you – even if your supplier was the main perpetrator.
Following a major spike in Magecart attacks at the beginning of the pandemic, the frequency of detected attacks has begun to wane. However, researchers are concerned that this is not thanks to a real-world decrease in web skimmer attacks. Instead, it could likely reflect a shift toward covert skimming. Browser-based skimmers are already closely tracked, with strong reporting and blacklist architecture. However, it could very well be that attacks have moved server-side. This makes them far harder to detect with simple scanners, as the analytical tools will not have access to individual servers.
Furthermore, there is growing concern that Magecart attacks are evolving into a new web3 threat. Cryptocurrency and NFT wallets have become extremely valuable over the last year, and researchers have pinpointed a new form of web skimming – crypto drainers. Combining phishing and Magecart attacks, an attacker will plant and promote a believable NFT minting page – closely modeled off a legitimate twin, and often with an artificial countdown to create urgency. When a victim connects their wallet, the crypto drainer will check for the presence of valuable NFTs. If this is found, the victim is presented with a “minting” transaction which, upon completion, simply transfers the valuable NFT to the attacker.
Protecting Yourself from Skimmers
The PCI council encourages eCommerce brands to use external payment services, as these external forms can be harder to compromise. But both Ticketmaster and British Airlines attacks showed attackers can easily access apps and inject a fake payment form into the checkout flow. The stakes are too high to allow this risk to go unchecked. Instead, a high-quality WAF can protect your web applications from web skimmers.
A WAF sits between a public-facing application and its external connections. By monitoring the perimeter of an application, attacks can be blocked before any connection is made. If your WAF is adhering to a zero-trust policy – that is, dependent on a whitelist – then you can define the only trustworthy payment connection as the one you’ve set up. Even if they compromised an account and planted a keylogger, a WAF would also prevent the payment app from accessing the command and control server, thwarting an attacker’s attempts.