What are Magecart attacks?
A Magecart attack is one in which cybercriminals skim shoppers’ credit card data and other personally identifiable information (PII) from your online payment forms when they complete a transaction. The name “Magecart” refers to several hacker groups that use online skimming techniques to steal payment data from e-commerce sites on the Magento platform. However, Magecart attacks have spread far beyond Magento to OpenCart, Volusion and nearly every other e-commerce platform. This type of attack is known more broadly as digital skimming.
Suffering a Magecart attack exposes payment data and PII, damages brand reputation and consumer trust, and results in fines due to noncompliance with privacy regulations. These attacks can be hard to detect, so it is critical to proactively identify and fix code risks before your site is compromised.
How do Magecart attacks work?
Attackers leverage vulnerabilities in client-side code to inject malicious scripts into the payment pages on e-commerce sites. When users complete a transaction, the script captures the form data and sends a copy to the cybercriminal. The transaction data still flows through to the e-commerce system, so website owners and consumers are not immediately aware that payment information was stolen. Contact information, usernames, passwords, credit card numbers, CVVs, and expiration dates are all subject to theft via Magecart attacks.
Cybercriminals can carry out Magecart attacks in various ways. These include both mass and targeted attacks that leverage different types of code injections and skimmers. Here are some examples:
- Inject malicious scripts into real payment pages to change form behavior
- Direct users to complete transactions on fake sites with similar URLs to the site they intended to visit, leading the buyer to unknowingly submit a form on a fraudulent infected site
- Hide skimmers in images that load on payment pages in users’ browsers, such as in the 2022 attack on Segway
Why are Magecart Attacks so Difficult to Detect?
Magecart attacks target client-side code, which runs on users’ browsers. This means that malicious skimmers fall outside of common web controls, such as web application firewalls (WAFs). In addition, cybercriminals increasingly use scripts designed to evade detection. The malicious code loads dynamically in users’ browsers, so it is often missed by manual code reviews, static code analysis, and external scans.
Impact of Magecart Attacks
It is estimated that a new Magecart attack happens every 16 seconds, and they can have severe repercussions for your business. Nothing destroys brand reputation and consumer trust faster than exposing sensitive data to bad actors. This is true for both current customers who are directly affected and prospective buyers who may see bad press and choose to shop elsewhere. In fact, 56% of consumers say they won’t shop on a site that compromised their data. Reputation damage can negatively impact revenue, stock value and business growth.
Many countries and states have passed data privacy legislation — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — which impose hefty fines on businesses that fail to protect user data. Brands are responsible for Magecart attacks on their site, even if it was the third-party platform that was compromised. Well known brands such as British Airways and Ticketmaster have been fined millions of dollars following Magecart attacks.
How to Prevent Magecart Attacks
Preventing a Magecart attack starts with understanding your third-party vendors. Vet your vendors by asking questions about their data security protocols and compliance measures. You can even include security requirements and penalties for non-compliance in vendor contracts. And do not allow third-party code more access rights than are necessary.
How Does PerimeterX Stop Magecart Attacks?
PerimeterX Code Defender stops Magecart and other client-side supply chain attacks on your website using advanced behavioral analysis. It provides you full visibility and control over first-, third- and nth-party scripts running on the client-side. The solution detects unauthorized PII access, data exfiltration events and known script vulnerabilities, and provides incident details.