Is your website vulnerable to a Magecart attack?

Is your website vulnerable to a Magecart attack?

Within the eCommerce world, Magecart attacks have far reaching consequences, from credit card fraud to substantial brand damage. Magecart is the name given to sophisticated hacking groups that employ a specific type of web skimming attack, which injects malicious JavaScript into a website by exploiting a hole within the website code itself, or by infiltrating a third-party tag.

Once injected into a web application or website, the Magecart malware is delivered and executed in the browser along with the HTML and other first-party code. Since third-party code has the same access to web resources as first-party code, a skimmer injected into third-party code will be able to look for sensitive user data, such as usernames, passwords, social security numbers and credit card numbers. This data will then be skimmed and sent onto the attackers for illicit use.

GDPR is here and the consequences are realRelated Blog

There are many avenues where Magecart and other such skimming malware can be injected into a website with some being easier to protect than others. Ensuring that the stack hosting the website is fully patched and utilizing the latest component versions is essential, but when it comes to third-party tags — protection is a challenge. Tags can contain thousands of lines of code which makes active reviews difficult, and when a tag is loaded from a remote location, such as Github, reliance is often placed on the provider to keep their repository secure.

Website owners can, and should, assess their site to ascertain areas where they may be at risk to Magecart and other data skimming attacks. There are a number of things that can be easily examined to highlight areas of concern and then tracked as part of an overall security practice.

Regularly audit your third-party JavaScript tags and scripts

Injecting Magecart malware into a third-party tag is a common way for attackers to exploit a website. Third-party JavaScript only executes once it is delivered into a client’s browser, making it harder for administrators to detect malicious activity.

You can use the debugging tools in most browsers to see a list of  what tags are being used by your web app or website. For example, if you open the resources tab in the Safari debugger, it is possible to see all the included scripts and where they are loaded from. 

In the image below, you can see that cnn.com loads scripts from outbrain.com, krxd.net, adsafeprotected.com, ampproject.org, and more.

Using a script from a third-party vendor doesn't automatically mean that a site is vulnerable to Magecart and skimming attacks, but the more tags you add, or the more remote repositories you rely on, simply means that your attack surface is larger and the risk of a breach is higher. As a basic recommendation, website developers should: 

  • Regularly audit all third-party tags and scripts being used on your web applications or websites. 
  • Create a list of all the locations or domains that are delivering third-party content and assess them for security risk. 
  • Stay up-to-date to ensure there are no published exploits or known vulnerabilities around third-party code which you use.

How vulnerable are you to a web skimming attack like Magecart?Assess your risk now

Performing regular research into third-party tags

The use of JavaScript within a website in an essential part of delivering the rich and immersive experiences expected by consumers today and third-party tags play a large part in this. When a site opts to include functionality such as a chatbot, or a shopping cart, often they will leverage a third-party component to deliver this.

Like any codebase, third-party JavaScript libraries can and do have bugs. Sometimes, these bugs are benign and may result in something not being displayed correctly in a browser. Other times, these bugs can lead to vulnerabilities which allow attackers to upload malicious scripts. Where third-party code is used, it is essential to perform simple, but regular, research.

As an example, a recent audit of a prospect’s website showed the use of a tag provided by addthis.com — a JavaScript library which provides social sharing buttons within a website. A quick Google search revealed that in 2017, a cross-site scripting vulnerability was published, putting any site utilizing this plugin was at risk. While this issue was addressed by the vendor, it does highlight how easily mass-exploitation could be performed when a single tag becomes vulnerable.

Google is an exceptionally powerful tool for quick research into security issues, but there are also many security mailing lists that you can subscribe to and keep track of newly discovered issues. 

Perform penetration testing

Magecart attackers require an avenue to exploit and inject their malware, which typically means some form of vulnerability. For example, websites that are vulnerable to cross-site-scripting attacks could also be leaving themselves open to web skimming attacks, such as Magecart.

There are many organizations that provide penetration testing services, which use tools and professional services to conduct research and simulate attacks against a web application to look for various bugs and holes. Penetration testing is a useful way to discover bugs — even small, harmless bugs can be combined with other attack avenues to facilitate a Magecart attack. 

Most modern web apps are susceptible — don’t be the next target 

It’s important to realize that with almost every website that uses JavaScript or leverages third-party code, is potentially susceptible to Magecart and web skimming attacks. From small mom-and-pop online stores to industry giants like British Airways, Magecart hackers constantly look for weaknesses that allow them to inject their malware to steal sensitive user data.

Once organizations perform a small amount of due diligence into their website risk, they can begin to formulate a security plan to avoid damage in the event that an exploit occurs. The negative impact of a successful Magecart attack can have serious consequences for brand image — and any business with an online presence should understand how they could be targeted.

Instart security services enable organizations to protect their online assets against Magecart and other skimming attacks. Instart offers technology that allows website owners to protect HTML form fields from sensitive data exfiltration, protect against cookie theft and more.

On-demand webinar7 common web application security attacks and what you can do to prevent themWatch now