Digital Skimming and Magecart

Five Things Every CMO Needs To Know About Magecart


As Originally published in Forbes

Photo: Getty

If you are a retail marketing leader, you might not know that much about Magecart, but you should, as it can be a significant threat to your brand. It’s caused real damage to some of the biggest brands in the world, including Macy’s and British Airways. And I’ve seen predictions that Magecart will impact more brands in 2020 than in any year previous.

Working as the chief marketing officer (CMO) of a software-as-a-service (SaaS) company that helps e-commerce companies protect their websites and web apps, I understand the need for CMOs to protect their brand’s reputation and the importance of learning about this threat.

What is Magecart?

Magecart is the name given to attacks done by a loose collection of malicious hacker groups that target e-commerce systems to steal customer information and financial data. The name originates from attacks against the Magento e-commerce platform. Magecart has since become a description of a common attack method: inserting malicious code into an e-commerce website’s code base to skim data from site visitors. The Magecart code captures sensitive customer information from online payment forms, including email addresses, passwords and credit card numbers.

The Magecart code can even inject fields that were not there originally. For example, an attack against a retail website might add a loyalty account field to capture even more user information. Visitors are not warned about these changes and there is virtually no way to know the site they are visiting has been compromised. You, the website owner, often don’t know your site code has been attacked and changed until it’s too late.

There are five ways CMOs can be impacted.

While security teams have the primary role to address Magecart, CMOs have different concerns. Here are five things that every marketing leader should know about Magecart and what they can do to prepare:

  1. Magecart can damage your brand’s reputation.

    Facing a cyberattack that harvests your customers’ credit card and financial data is a real black eye to brand equity. Customers will be angry, partners will be worried and sales will likely stall. Your CEO and chief information security officer (CISO) will face tough questions, and negative press coverage is likely to emerge. Regaining your pre-attack position will take time and money.

    In advance of a Magecart attack, take the time to revisit your crisis communications strategy. Run a tabletop exercise with your team, your CISO and key executives. That way, if you find yourself needing to respond to an attack, you’ll be ready. And as always, being proactive and transparent in your outreach to customers will be key to minimizing damage.

  2. Magecart can make you look bad on social.

    When Newegg was attacked, there was criticism of the online electronics retailer on Twitter. Sometimes, social media attention can come from influencers with a large number of followers, and their posts have the potential for high engagement. This requires significant work to monitor and overcome.

    Make sure your crisis communications strategy includes social response elements. Acknowledge the criticism, then be direct about your actions. And be personal. While people often say things on social that they wouldn’t say in person, putting a face to your company can change the dynamic.

  3. Magecart attacks can go on for months without detection.

    Most websites and web apps are built using JavaScript that pulls in third-party libraries and services. As a result, it is difficult for website owners to know exactly what code is running on their site. I’ve learned that most companies are not yet running the proper tooling and technology to detect real-time behavioral anomalies, which is the only reliable way to identify Magecart attacks.

    My advice here? Have a conversation with your CISO now and ask the following questions: Is our website protected against Magecart attacks? If third-party code on our website changed, how would we know? How would we block a Magecart attack?

    You need to understand your baseline. Then work with your CISO to implement the policies and technologies that will prevent unwanted scripts from accessing users’ sensitive data and negatively impacting your company.

  4. Magecart can strike a large percentage of your customer base.

    Because Magecart attacks can go on for months without detection, these incidents can strike a large percentage of your customer base. This is important to keep in mind when planning for or managing through an attack. Plan for the worst, as if a large percentage of your customers have had their data skimmed. If the situation is better, you can be certain you’ll have it covered.

    I hope you never have to face a worst-case scenario, but if you do, planning will again be key. In some cases, you may have to send a physical letter to impacted customers, so make sure you have a vendor at the ready. A crisis is not the time to onboard a new vendor or attempt to do a mass mailing with in-house resources.

  5. Magecart attacks can negatively impact your marketing budget.

    If you face a Magecart attack, you should expect to spend real money on damage control. This can range from buying ads and evaluating new website technology to investing in extra promotions to retain customers. You might need to increase your spend to make up for lost ground or pause your efforts until negative news dies down.

    It’s important that you educate your team and company in advance. Strategize together. Get buy-in on priorities, contingency plans and the role each person will play in case of an attack. Then, be ready to implement. You may never have to do so, but it’s always best to be prepared.

    Managing and marketing a company’s website or web app is a big responsibility. This is particularly true if the website or mobile app comprises a significant percentage of your organization’s revenue. Understanding the risks posed by Magecart, strategizing now to protect your website and web apps, and knowing how you’ll respond to an attack will put you on stronger footing for the future.

PerimeterX is Named as a Leader in Bot Manangement by Forrester

Download Report
© PerimeterX, Inc. All rights reserved.