Magecart attacks: how your credit card data gets stolen from e-commerce sites


Threat actors continue to conduct Magecart attacks to steal financial data and personal information from e-commerce platforms. Let’s look at the attack chain and taxonomy for this illegal practice and countermeasures to mitigate them.

What is a Magecart attack?

The term Magecart was coined years ago and is linked to the name of the group of criminals who first used this technique in attacks against e-commerce websites to steal payment card data.

ADVERTISEMENT

The name Magecart derives from the words “Magento” and “shopping cart.”

The Magento CMS is one of the most common targets of the Magecart groups, as it provides checkout and shopping cart functionality for e-commerce websites.

The attacks are attributed to an umbrella of financially motivated threat actors, each with its own characteristics, that compromise e-stores by injecting malicious code designed to steal visitors' credit card data while purchasing products on sale.

This malicious code is also called software skimmers or e-skimmer. The name comes from physical skimmers, which are devices that criminals superimpose on ATM slots to steal bank customer card data.

The first Magecart attacks were observed as early as 2010, but according to cybersecurity researchers from Sansec, the first mass-executed Magecart attack affecting thousands of stores was reported in 2015.

In 2015, researchers disclosed a serious vulnerability, called Shoplift/SUPEE 5344, in Magento that was targeted in multiple Magecart attacks. Sansec observed over 3,000 compromised Magento stores back in December 2015.

“In the following years, this number of compromised stores quickly grew. As of 2022, Sansec has identified over 70,000 compromised stores that contained a digital skimmer at one point in time. More than 100,000 stores were affected if you include supply chain attack victims,” Sansec reported. “Web skimming is not limited to Magento, other open source ecommerce platforms are also targeted by cybercriminals.”

Sansec
ADVERTISEMENT

Over time, these attacks have become more stealthy, and attackers have developed systems to automate their attack chain. Some groups use tools that can scan the web for outdated e-commerce sites or that use vulnerable plugin-ins and then automatically inject malicious software.

Stolen credit cards are then sold by cybercrime organizations on the dark web for $3 to $45 each.

Magecart attacks expose financial and personal data, can damage brand reputation and consumer trust, and could result in fines due to non-compliance with privacy regulations.

This criminal practice has allowed cybercriminal gangs to compromise several tens of thousands of e-commerce sites, including those of well-known brands.

In September 2018, British Airways suffered a data breach that exposed the personal information of 400,000 customers. The hackers potentially accessed the personal data of approximately 429,612 customers and staff. Exposed data included names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers.

Experts believe the hackers also accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

An investigation conducted by researchers at RiskIQ revealed that the attack on the airline was carried out by the notorious crime gang MageCart.

An interesting aspect of many Magecart attacks is that the threat actors maintain persistence. According to a report published by the security firm Imperva, one out of five eCommerce websites that were previously compromised by Magecart are re-infected in a matter of days.

The attackers gain persistence by establishing multiple backdoors and creating rogue admin accounts.

Other reinfection mechanisms adopted by Magecart groups, include the setup of hidden periodic tasks and database triggers, which re-install the malicious code in case it was removed by the admins.

ADVERTISEMENT

The attackers use to obfuscate the e-skimmer code to avoid detection. In some cases, the skimmer employed in the attacks was designed to check for the use of virtual machines for the same reason.

Cybersecurity firms have spotted hundreds of different software skimmers over time, and threat actors are adopting multiple technique to avoid detection and bypass security measured implemented by merchants to protect their infrastructure.

Magecart attack chain

The Magecart attack chain is composed of the following stages:

  1. The compromise of the server hosting the e-store: The threat actors first need to gain access to the e-store through different means, such as exploiting vulnerabilities in the Content Management System used by the platform (i.e. Magento, OpenCart, Prestashop, and Shopware) and its extensions, using phished credentials, launching brute force attacks, or exploiting misconfiguration issues.
  2. The injection of the e-skimming malware into the payment process: Depending on the type of attack (client-side or server-side Magecart attack), threat actors inject the software skimmer code or a keylogger in the payment process.
  3. The exfiltration of financial and personal information of users: Data captured through e-skimmer software and keylogger are locally stored on the server, then the attackers can periodically access the resource used to store the harvested data or the data could be uploaded to a server under the control of the attackers. Stolen data can be immediately transferred to the attackers or can be sent in batches.

Cloudfare

Magecart attacks classification

Magecart attacks can be classified as server-side attacks and client-based attacks (aka browser-based attacks) depending on the location of the e-skimming software.

ADVERTISEMENT

Client-based Magecart attacks

In browser-based Magecart attacks, the malicious code is injected into the HTML or JavaScript source code of the e-store or of embedded third-party service.

The malicious code, usually a keylogger, is added to the payment form, and once the customer provides its data for purchasing, is sent to the victims.

In some Magecart client-side attacks, threat actors inject malicious code into third-party components used by the e-commerce platform.

Threat actors exploit vulnerabilities in client-side code to inject malicious scripts into the payment pages on e-commerce websites.

Other attack vectors are represented by sideloading, chain-loading of code, and cloud-hosted skimming.

In sideloading and chain-loading techniques, the attackers load e-skimming code on target web pages even while using legitimate scripts and components. The malicious code is loaded directly by web browsers outside of the security perimeter.

In platform or cloud-hosted skimming, the malicious code is hosted on trusted cloud platforms, including Amazon CloudFront CDN, or misconfigured Amazon S3 buckets. This attack scenario allows the injection of malicious code into JavaScript libraries used by thousands of websites.

When the users complete a transaction, the malicious script captures the form data before sending it to the cybercriminal. This kind of attack doesn’t interfere with transaction data, which still flows through to the e-commerce platform. For this reason, administrators are not able to promptly detect it.

Server-side Magecart attacks

ADVERTISEMENT

In Server-side Magecart attacks, the software skimming code is injected during the checkout process. Experts observed multiple techniques to inject the malware. The malicious code could be stored on the filesystem, in the database, or injected in memory.

The skimmer code is designed to capture customer and payment data that is entered into the e-commerce. The data is locally stored and could be exfiltrated with different techniques. Data can be stored in a password-protected archive or appended to an image on the server. The attackers then periodically retrieve the archive or the image from the server.

During the past several months, threat actors behind Magecart attacks switched their operations to server-side. The move aims at evading detection. Anyway, security researchers pointed out that client-side attacks are still popular in the cybercrime ecosystem.

The number of solutions that can detect server-side Magecart attacks by looking for PHP-based skimmers is limited, and for this reason, threat actors prefer them. Researchers pointed out that the interest of cybercrime in harvesting information such as financial data and crypto assets still motivate the attackers to launch client-side attack via JavaScript.

Another trend observed by the experts is the focus of specific Magecart groups on supply chain attacks.

Recently attackers have pivoted to target advertising supply chains used by thousands of websites of all types, from flight booking services to retail.

Malicious actors target organizations that supply components and models used by multiple websites attempting to inject their malicious code in the legitimate code that is used by their customers. Websites relying on a third-party software may be compromised by loading the e-skimmer code provided by the supplier. Attackers can also leverage on compromised content delivery networks (CDN) to spread malicious code and infect websites loading it.

Recently, Magecart attackers were also observed using hosting services as attack vectors to inject malicious code into client sites.

In other attacks, threat actors have hidden the malicious script in the metadata of image files or authentic CSS files.

ADVERTISEMENT

Magecart attack mitigation

To identify and block Magecart client-side attacks, it is recommended to:

  • Keep e-commerce CMS up to date.
  • Implement multifactor authentication (MFA) for the admin console.
  • Track any third-party JavaScript used on the e-store and reduce the number of third-party services to mitigate the risk of supply chain attacks. Administrators should perform regular auditing of third-party e-commerce code, and they are also advised to host third-party scripts on their own infrastructure.
  • Implement HTTP Content-Security-Policy headers to reduce the exposure to cross-site scripting (XSS), clickjacking, and other code injection attacks. The use of With a CSP allows administrators to implement an allowlist of trusted and validated network locations and prevent data exfiltration in case of compromise.
  • Administrators of e-commerce websites should use client-side protection solutions that could automate the detection and mitigation of client-side Magecart attacks.
  • End-users performing online purchasing should use a secure network and avoid shopping while connected to public Wi-Fi networks. Never save payment information in web browsers, and check for “https” within the site URL before entering personal and financial data.
  • Consider adopting a zero-trust approach with JavaScript on the e-commerce website sites.