ADVERTISEMENT

Magecart attacks: how your credit card data gets stolen from e-commerce sites

Threat actors continue to conduct Magecart attacks to steal financial data and personal information from e-commerce platforms. Let’s look at the attack chain and taxonomy for this illegal practice and countermeasures to mitigate them.

Magecart attack
Pierluigi Paganini
Pierluigi Paganini Contributor
Nov 5, 2022 Updated: 5 November 2022 5 min read

What is a Magecart attack?

Sansec

Magecart attack chain

  1. The compromise of the server hosting the e-store: The threat actors first need to gain access to the e-store through different means, such as exploiting vulnerabilities in the Content Management System used by the platform (i.e. Magento, OpenCart, Prestashop, and Shopware) and its extensions, using phished credentials, launching brute force attacks, or exploiting misconfiguration issues.
  2. The injection of the e-skimming malware into the payment process: Depending on the type of attack (client-side or server-side Magecart attack), threat actors inject the software skimmer code or a keylogger in the payment process.
  3. The exfiltration of financial and personal information of users: Data captured through e-skimmer software and keylogger are locally stored on the server, then the attackers can periodically access the resource used to store the harvested data or the data could be uploaded to a server under the control of the attackers. Stolen data can be immediately transferred to the attackers or can be sent in batches.
Cloudfare
ADVERTISEMENT

Magecart attacks classification

Client-based Magecart attacks

Server-side Magecart attacks

Magecart attack mitigation

  • Keep e-commerce CMS up to date.
  • Implement multifactor authentication (MFA) for the admin console.
  • Track any third-party JavaScript used on the e-store and reduce the number of third-party services to mitigate the risk of supply chain attacks. Administrators should perform regular auditing of third-party e-commerce code, and they are also advised to host third-party scripts on their own infrastructure.
  • Implement HTTP Content-Security-Policy headers to reduce the exposure to cross-site scripting (XSS), clickjacking, and other code injection attacks. The use of With a CSP allows administrators to implement an allowlist of trusted and validated network locations and prevent data exfiltration in case of compromise.
  • Administrators of e-commerce websites should use client-side protection solutions that could automate the detection and mitigation of client-side Magecart attacks.
  • End-users performing online purchasing should use a secure network and avoid shopping while connected to public Wi-Fi networks. Never save payment information in web browsers, and check for “https” within the site URL before entering personal and financial data.
  • Consider adopting a zero-trust approach with JavaScript on the e-commerce website sites.
ADVERTISEMENT