Blog>Articles>Safety>What is Magecart? Everything You Should Know
  • 6212
  • 0
Safety

What is Magecart? Everything You Should Know

Michelle Wilson - November 25, 2021

what is magecart everything you should know

Magecart is a rapidly growing syndicate that connects dozens of subgroups into a specialized cybercrime tactic. These cyber-attacks involve digital credit card theft, which skims online payment forms. The Magecart also refers to the Javascript code the groups inject. Typically, Magecart hacker groups perform a supply chain attack, which targets the Magento system, stealing payment card information.

The concept behind these attacks is a compromised third-party software from a systems integrator or VAR, unbeknownst to IT.

How Does Magecart Work?

Operatives gain access to websites in one of two ways. The first tactic has operators gaining access to websites directly, while the second method uses third-party services to inject malicious JavaScript. Both approaches result in the theft of shoppers’ data when entering details into online payment forms. Most often, this theft occurs on checkout pages of unsuspecting websites.

Magecart operatives compromise the accounts using two methods. The first method breaches websites directly, while the second uses supply chains to complete the attack. During a supply chain attack, hackers target third parties that supply the code to websites. This might include vendors that integrate with sites to improve functionality or cloud-based resources that websites use to pull code (for example, Amazon S3 Buckets). It’s essential to recognize that these third parties often integrate with thousands of websites. When one supplier becomes compromised, Magecart effectively gains access to all sites.

Gaining Access to Website Information

Magecart hackers substitute Javascript code, either using an injection to a website that hosts malware or altering Magento source code. Currently, researchers have identified nearly 40 different exploits using this method. The only way to detect this type of breach is to carefully evaluate the code stack (often line-by-line) to see what changes have occurred.

How Does Magecart Spread?

One of the easiest ways for attackers to host the malware is by uploading the code to a new GitHub project. Most security tools fail to scan code from GitHub, hiding the malware in plain sight. Most criminals try to assume ownership of the project, publishing new versions of the code that contains malware. Using this tactic has the direct benefit of effortlessly spreading across thousands of websites.

Understanding Magecart Targets

Monetary gain isn’t the only type of attack, with many breaches targeting different kinds of sites. Most attacks target e-commerce websites, injecting the Javascript skimmers on checkout pages. Hackers can also target any sensitive, identifiable, or otherwise personal information.

A magecart attack takes advantage of online businesses’ lack of visibility into web-facing attack surfaces. Most commonly, the victim doesn’t know the compromised third-party JavaScript is on their site, nor that it’s dangerous. Most victims have no idea the JavaScript has changed on the platform, allowing the malicious code to remain indefinitely.

Notable Magecart Attacks

notable magecart attacks

Ticketmaster

In June 2018, Ticketmaster made a public announcement that payment information was compromised through various websites. The evaluation determined Magecart operatives placed skimmers on the website’s checkout pages. Hackers used a third-party supplier, known as Inbenta, to gain access—compromising over 800 e-commerce sites worldwide. Unfortunately, these attacks gave access to private payment information and consumers’ details.

British Airways

In September 2018, British Airways announced a breach of mobile app and website information, resulting in payment data of nearly 380,000 consumers. Researchers trace the breach to Magecart attacks, with a direct compromise of the website directly. Hackers copied and modified JavaScript payment forms, sending all payment information to an attacker-controlled server. Operatives made sure all forms still functioned as intended to prevent detection.

MyPillow Website

The attacks intend to steal consumer information, payment details, and other compromising details. Magecart was installed on the MyPillow website but was quickly discovered and removed. Magecart retained access to the website, attempting a second attack shortly after. They added a new script tag for LiveChat, matching the script tag commonly inserted by LiveChat scripts. They then proxied the standard script and appended the skimmer code below it.

Amazon S3 Buckets

Most Magecart attacks are intrinsically connected to Magento. The primary third-party shopping software combines “Magento” and “shopping cart.” These platforms fuel large portions of eCommerce, making it the lifeblood of many Magecart groups. As the shopping software continues to spread, the Magecart skimmers with anyone who uses them.

Current Magecart Skimmers

Three recent Magecart skimmers target open-source WooCommerce plugins for WordPress. This plugin is particularly popular with online retailers, simplifying the eCommerce opportunities for small businesses and major corporations. Skimmers also include WooTheme (which is simple and easy to use). This code is commonly obfuscated to avoid detection. Select is another skimmer currently circulating. The deliberate misspelling of the word helped researchers discover it. This malware is a simple skimmer variation of the Grelos skimmer. Finally, Gateway is a skimmer that uses multiple layers and obfuscates the processes. It often remains undetected.

The Evolution of Magecart

Recent reports highlight Magecart’s code and the methods of attack commonly found with such groups. Currently, reports of at least six different hacking groups are developing versions of the malware application. These reports include enhancements to the code along with additional levels of trickery. Most groups have their unique code, methods of use, and signature, making them easy to classify.

Using Ad Servers

While this method does use an attack on shopping carts, it uses a new approach to compromise accounts by infecting advertising banners. Ad servers place Magecart code into the web server, where a user will view the ad in the browser. Once viewed, the code is downloaded to their computer, including malware.

Beyond Magento

Most Magecart attacks involve compromises to Magento shopping carts, but one significant attack involved the Shopper Approved website. This tactic leverages the vendor’s customer scoring plugin to rate various websites. From there, the malware is deployed across over 7,000 eCommerce websites.

Creating More Elaborate Attacks

As movement shifts away from spraying malware widely, hackers take advantage of the logic flow of internal applications. The malware includes 22 lines that researchers believe allowed Magecart to steal data. Unfortunately, researchers found the attack on British Airways accidentally due to prior modifications in 2012.

Payment Form Injection and Dual Exfiltration

Magecart group, self-titled “Group 7,” has been in operation since 2018. It started as a skimmer; the group was called MakeFrame skimmer. They tested and improved victim’s websites, using dual data exfiltration paths to actor-controlled servers and compromised sites.

Preventing Supply Chain Attacks

Consider the following tips to protect your networks and stop Magecart and supply chain attacks.

  • Identify all third-party advertising and eCommerce vendors currently gaining access to your site. Ask any relevant vendors to perform self-assessments of their code. This assessment might include review or auditing.
  • Develop a subresource integrity screen. The subresource integrity screen prevents scripts from loading without your permission. Developing a thorough code review to track these scripts while requiring concerted educational effort is essential.
  • Always vet and source your endpoint protection provider. Determine whether they can stop Magecart or other third-party compromise attacks.
  • Continuously review and revise security policies to include the same treatment for suppliers and contractors. Supply chain attacks work because of less-than-standard security applications to subcontractors or suppliers. By holding everyone to the same accountability, you’ll mitigate any risk for attack.
  • If using WordPress, continuously update the version as soon as possible. V.5.2 specifically screens supply chain attacks, primarily through the plugin library. While it’s not a foolproof tactic, it can minimize the chances of such an attack.

Conclusion

Unfortunately, a Magecart is often undetected and has the potential to cause significant privacy concerns. Additionally, without the proper safeguards in place, hackers install skimmers on the platform without consent or awareness. By building a solid awareness, companies can try to mitigate these attacks overall, safeguarding consumer information in the process.

Related Posts

how to check if a car is stolen 2022 guide
Safety
How to Check if a Car is Stolen in 2024

Michelle Wilson - January 27, 2024

Phone Area Codes to Watch Out For
Safety
Phone Area Codes to Watch Out For in 2024

Michelle Wilson - January 6, 2024

dui vs dwi whats the difference
Safety
DUI vs. DWI: What’s The Difference?

Michelle Wilson - November 1, 2023

Recent Posts

wife looking at boyfriend's phone
Reverse Phone Lookup
How to Track Your Boyfriend’s Locati...
Criminal Arrest Records
What States Don’t Share Criminal Rec...
neighbors shaking hands over a fence
People Search
Who Are My Neighbors? Everything You Need ...
Facebook Dating on a smartphone
Sex Offenders
Can You Search for Someone on Facebook Dat...

Popular Posts

Is Your Spouse on Dating Sites? 10 Ways to Find Out
Is Your Spouse on Dating Sites? 10 Ways to Fi...
How to Find Someone with Only a First Name and City
How to Find Someone with Only a First Name an...
Federal Gun Background Check: Everything You Need to Know
Federal Gun Background Check: Everything You...
wife looking at boyfriend's phone
How to Track Your Boyfriend’s Location...

Tags

online safety Safety
People Search