E-commerce Retailer Discovered Malicious Code Skimming Financial Data From Site Visitors in the Latest Magecart Attack
With Magecart attacks on the rise, ‘tis the season to be wary. The latest attack targeted one of the largest retail brands in North America, retail giant Macy’s. As widely reported, in this case attackers exploited unpatched and zero-day vulnerabilities on servers to inject skimming code on the retailer’s site. It is essential to patch systems and deploy server-side defenses, but it is also clear that real-time client-side visibility of script execution is the need of the hour. The attack is a clear call to action for all retailers, travel and hospitality sites, and any site that takes payment information to take a new approach to secure user data, starting this holiday season.
In this case, the retailer has a reputation for strong security, and it was not running one of the major shopping platforms like Magento or Volusion, which have been favorite targets for Magecart attacks. This attack underscores both the sophistication of Magecart attacks and the difficulty in defending against them without taking a new approach to detect and block unauthorized client-side code changes. Magecart attacks stemming from third-party code or scripts have regularly made headlines. However, in this attack and in the case of the British Airways attack, we believe it was a first-party code injection that enabled the Magecart attackers to gain unauthorized access to the web servers owned by these respective companies. Our research team also uncovered a new trend in Magecart attacks with simultaneous attacks on the same site; all the attacks discovered in that research were first-party code injections. Even sites with good server defenses are susceptible to Magecart attacks. Visibility into the client-side script execution would have provided real time alerts to take corrective action.
The story of the most recent attack is by now familiar. Between October 7 and 15, Magecart malware scripts were running on the retailer’s checkout and wallet pages, through modification of a first-party script on these pages. During the week between when the Magecart attack began and when it was detected and stopped, cybercriminals likely skimmed customers’ personal data and payment card information, including security codes. The attack did not impact customers using mobile phones: it only affected shoppers using the website from laptops, desktops or tablets.
How Retailers Must Prepare for Potential Magecart Attacks
During the past year, the threat of Magecart to retail websites has risen. In November, our research team documented a new Magecart twist - multiple attacks by different groups on the same site at the same time. Magecart has hit nearly 20,000 domains, including some of the world’s best-known brands such as Procter & Gamble's First Aid Beauty, Delta Airlines and British Airways. That number will likely increase in the next few months. At the same time, the financial risk of suffering a Magecart attack and not detecting it in a timely fashion has never been higher, between more strict enforcement of Europe’s GDPR law and the impending enforcement of the California Consumer Privacy Act (CCPA). This is why e-commerce, security and engineering teams need to shore up their defenses against Magecart and other sophisticated client-side attacks.
This means that every company with an online presence should check the following boxes:
- Verify that the security controls for first-party code works with the Continuous Integration/Continuous Deployment (CI/CD) process.
- Consider implementing a solution for client-side attacks that provides full visibility and control of first-, third-, fourth- and fifth-party code running in production.
- Lastly and most importantly, deploy a solution - powered by AI and pattern matching - that performs real-user runtime analysis to identify anomalous client-side behavior and on modifications to live site code. This is the most bullet-proof method to spotting issues and triggering defenses - in real time - against Magecart attacks.
The bottom line is that regardless of the server side protection applied, attackers will find ways to exploit unpatched code and zero-day vulnerabilities on servers and backend services, and inject and modify front-end code resulting in more Magecart-like attacks. These client-side attacks require a new approach to securing user data on web applications: real-time visibility, monitoring and control of the entire website code as it executes on the user’s device. The reputational risk and costly breach remediation efforts now average in the millions of dollars between staff time and customer damages. Will you be ready in the event of a Magecart attack?
To learn more about third-party code, check out the blog Client-side - The Security Blindspot of your Website.