Stop Magecart: Defense against the dark arts of web skimming attacks

Stop Magecart: Defense against the dark arts of web skimming attacks

Halloween is upon us, bringing with it ghosts, wizards, curses, and other dark creatures. It’s a good reminder to organizations to make web security choices that will scare away the latest threat haunting websites — Magecart. The web skimming attacks carried out by the cybercrime syndicate known as Magecart has recently made headlines, highlighting that protecting personal data in the browser is an absolute necessity. 

The newest dark lord has emerged

Magecart attacks have largely gone unnoticed within the security world despite their growing prevalence in eCommerce or other industries that collect credit card information from customers. But the days of lurking in the shadows are over, Magecart has become a threat that customers, companies, and government agencies can no longer ignore — the FBI recently issued an official warning to businesses about the dangers of e-skimming, also known as web skimming, or Magecart attacks.

If your web security solutions are leaving gaps in your security perimeter, such as code in the browser unprotected, the consequences could be more blood chilling than finding a ghoul in your closet. 

British Airways was slapped with a $230M fine after Magecart attackers stole data from hundreds of thousands of its customers in a massive breach in 2018. Attackers were able to insert around 22 lines of code into the airline’s website, allowing them to capture customer credit card numbers and other sensitive pieces of information from approximately 500,000 customers.

Magecart and web skimming tools on the dark webRelated Blog

Avadata exfiltration — how Magecart operates

The main premise of a Magecart attack is to use JavaScript to monitor for data being entered into specific form fields, such as a password, social security number, or a credit card number, and then make a copy of it.

To do this, web skimming attacks typically follow a well-established pattern. They must achieve three things to be successful:

  1. They must gain access your web application or website using infected JavaScript — typically from a third-party vendor.
  2. Attackers plant malicious skimming code somewhere on your website, mainly focusing on web form fields where sensitive information is collected.
  3. Once the script has been infected and planted on your website — it’s game over. The skimmer code steals information from customers as they enter it into a page — and then it’s sent back to Magecart attackers. 

Part of the reason Magecart is so successful is due to the way modern web apps and websites are built — developers use a combination of HTML, CSS, or JavaScript, both from internal teams and from third-party vendors in order to achieve the rich, dynamic web experiences that consumers expect. 

Early Magecart attacks focused on attacking the website itself, looking for vulnerabilities within a site that allowed attackers to upload their code. However, more recent attacks have evolved to focus on launching browser-based attacks that leverage scripts from third-party vendors, which have weaker security in place and provide them with easier ways to access larger and more valuable enterprise targets. 

Third-party JavaScript has the same access to resources and content that your own first-party code has and browsers provide only limited control of what third-party scripts can access. So, any time third-party code loads on your website — your customers’ data could be at risk. 

On-demand webinarIn 3 steps, how web skimming attacks infect your websiteWatch now

Your standard book of spells is probably falling short

One of the most challenging parts of trying to defeat this dark lord is that Magecart is extremely difficult to detect. Web skimming attacks do not take place on your backend infrastructure, but directly in a visitor’s browser. In traditional data-theft attacks, there are traffic logs or flags raised when unusual activity is detected. 

But with Magecart attacks, the malicious JavaScript only operates once it is loaded in the browser away from all your internal security controls — in other words, these attacks are invisible because none of the attack code or exfiltration commands actually pass through your network. Traditional security solutions like a web application firewall (WAF) are useless at detecting and defending against browser-based threats like Magecart and other web skimming attacks.

In almost all cases of Magecart detection, discovery is achieved only when the company is alerted to credit card fraud and a code review takes place. RiskIQ estimates that Magecart has been implicated in over two million web skimming attacks to date — but the reality is the number could be much higher.  

Is your website vulnerable to a Magecart attack?Related Blog

Stopping Magecart requires constant vigilance! (and web skimming protection)

Today’s modern technology has given rise to a threat landscape full of constantly evolving threats that is making everyone a potential target. As attackers continue to focus more on the client, organizations will need to show constant vigilance when it comes to script and browser vulnerabilities — or leave themselves open to risk. 

Forrester Research suggests the following steps to protect your web applications against browser-based threats:

  • Regularly analyze all of your own website scripts throughout the development lifecycle
  • Implement client-side protections such as web skimming or malware protection 
  • Deploy a bot management solution that is able to detect and defend against sophisticated botnets that result from browser-based attacks.

The best defense against web skimming attacks is to prevent all JavaScript from unauthorized access of sensitive data by adopting a zero-trust approach to third-party JavaScript — effectively disarming the threat without having to rely on weaker detection methods. After all, attackers can’t steal information if they can’t see it in the first place. 

Instart Web Skimming Protection intercepts all API calls from any JavaScript in the browser and automatically blocks access to all HTML form fields and cookies, unless they have been given explicit permission. This approach prevents any script, whether malicious, infected, or non-critical, from gaining access to sensitive customer data and protects your apps, your customers, and your brand from a breach. 

See why zero trust is the best defense against web skimmingRequest a demo