Magecart: The FBI has recently issued a warning for the US private sector about the increase in Magecart attacks seen within the past two years. Attacks originally started in 2016, all categorized under the Magecart umbrella name, which incorporates attacks dealing with skimming credit cards through a website (E-skimming). E-skimming can happen in three steps and is a very lucrative attack style for the threat actor. The threat actor has to first gain access to the webserver hosting a company’s online store. After access is obtained, the attacker will hide malicious JavaScript code on the website, primary placing it on the checkout page, to gather the payment information from customer orders. Originally, the attacks were carried out through open-source e-shopping platforms with the attacker finding vulnerabilities within the platform to plant the skimmer. More recently, however, threat actors have been evolving their techniques, now being able to compromise almost any online shopping website even if they are not using open source platforms. Along with the standard method that targets one store at a time, they also target third-party companies that provide widgets to online stores (i.e. EU cookie compliance and tech support widgets). Threat actors will also target the cloud hosting account of websites that have been left open with “write” privileges, allowing the attackers to modify the source code for the website. Some groups are opting to send phishing emails to the stores trying to compromise an administrator account which would allow them to place the skimmer on the website, as well as groups targeting websites that produce checkout platforms used by many stores allowing them to infect thousands of stores at once with their skimmer.
Analyst Notes
Magecart attacks are carried out by unsophisticated lone wolf attackers as well as well-known threat actors, including some that are allegedly state-sponsored. There is not a sure-fire way to be able to fully prevent these attacks. Retailers with online shopping solutions should use a service to continuously check JavaScript code on their checkout page and detect any changes. Consumers should always have an antivirus installed on their system that could detect these skimmers; not all antivirus solutions are kept up-to-date and new e-skimming attack methods are being developed by attackers often. Since the code would be on the website that people are using, utilizing a browser extension that alerts people if they are visiting a compromised website can help in some circumstances. A better way for consumers to protect online purchases is to use virtual credit cards. By doing this, people only have to give one website their credit card number, and in return, they can link many different virtual credit cards to their one account. When a consumer purchases something online and the virtual card number gets skimmed, the attacker does not receive the actual card number. This will save the user the hassle of canceling a credit card and getting a new one shipped to them. Consumers can also consider using different credit cards for online shopping, shopping in stores, and recurring payments. If one card is compromised, it is easy to switch to using another card until the bank issues a replacement for the compromised card. With the holiday season fast approaching, people must understand the risks that are associated with shopping during this time. Many attackers increase their attack pace around this time, knowing that there is an uptick of shoppers using both online and in-store point-of-sale machines and software. If a consumer believes they have been part of a skimming campaign, they should report the fraud to their bank immediately. Catching skimmed cards early can also drastically reduce the amount of money the criminals can steal, so routine checks on credit card statements are also recommended.
