Everything You Need to Know About Magecart and Skimming Attacks

Everything You Need to Know About Magecart and Other Skimming Attacks

22 June 2021

At this point in time you have likely heard of or were directly impacted by a Magecart or skimming attack. Over the last few years, the number of Magecart-like attacks have been increasing rapidly. Macy’s, Ticketmaster, American Cancer Society, P&G’s First Aid Beauty, British Airways, Newegg, and many other organizations have reported digital skimming breaches. However, the vast majority of skimming victims are small and medium-sized organizations with 50 to 1000 employees.

The need for client-side security programs is on the rise. To date, security teams have been primarily focused on protecting their networks. Threat actors know this and have pivoted their tactics, techniques and procedures (TTPs) from the server-side to the client-side. Hackers go after the low hanging fruit. They go after websites and web applications. Leading security organizations are shifting their security team’s focus from the server-side to the client-side so that they can protect their customers’ data. Let’s take a closer look at Magecart and other skimming attacks.

What is Magecart?

Magecart is a commonly used name for loosely affiliated threat groups that use digital skimming or e-skimming techniques to steal customer data. The term “Magecart” is a portmanteau of the words “Magento” (a popular open-source ecommerce software platform) and “shopping cart,” is a type of e-skimming. 

What is a Magecart Attack and How Does it Work?

A Magecart attack is a process in which malicious threat actors, state-sponsored hackers, or financially motivated attackers gain access to a company’s online store. Magecart or e-skimming attacks follow a simple three-step process to inject skimming code into payment card processing pages of the website in order to make financial gain. 

  • Step 1
    • Attackers add malicious code with skimming functions to a third- or fourth-party script that is used by the target website.
  • Step 2
    • The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user enters into form fields. Examples of sensitive information include account credentials, payment card information, and billing information, such as home address and phone number.  
  • Step 3 
    • The information the user enters into form fields is sent to the threat actor’s command & control (C2) server for storage and later use.

There are quite a few attack vectors for Magecart or other client-side web skimming attacks. Here are the top four that security professionals should keep a close eye on. 

The Top Four Skimming Attack Vectors

Javascript Libraries

Web applications that use third-party JavaScript code are vulnerable because JavaScript inherently lacks internal security management and oversight capabilities. As a result third-party code can have an unrestricted level of access to sensitive data at the browser level.

Sideloading and Chainloading of Code

Sideloading and chainloading techniques allow actors to load JavaScripts scripts with skimming-capable malware on target web pages. E-skimming breaches via sideloading can go undetected for a long time because infected code is loaded directly into the user session by web browsers while remaining outside of the web application firewall and other security perimeter controls.

Platform or Cloud-hosted Skimming

E-skimming code has been found hosted by popular cloud platforms including Salesforce Heroku and Amazon CloudFront CDN, as well as on misconfigured Amazon S3 buckets. Such code can inject backdoors for inserting malicious code into JavaScript libraries used by thousands of organizations.

Why Attack the Client-side with Skimming Attacks?

Not to date myself, but I believe Nelly said it best: 

“Hey, it must be the money!”  

As described above, skimming attacks are easy to execute. With current security tools, even the best security teams are unaware of malicious JavaScript code and the majority of client-side attacks. By skimming user data from the client-side, threat actors can quickly make financial gain, either immediately by using stolen information, like credit card numbers, or by selling information on the dark web. 

How Much Does Customer Data Cost on the Dark Web?

While prices fluctuate and depend on many variables, the following summary offers an overview of dark web commercial models and the monetization of stolen data:

Credit Cards

  • $1,000 – for a credit card with a $15,000 limit
  • $800 – for a credit card with a $10,000 limit
  • $450 – for a credit card with a $5,000 limit
  • $45 – for an average (untested) credit card

Digital Account Credentials

  • $20-$200 – Online payment ID (PayPal, etc)
  • $20 – Loyalty Accounts
  • $1-$10 – Online Subscription Services (e.g. Netflix, Disney+, etc.)

Other PII

  • $1,000 – $2,000 – Passports
  • $20 – Drivers Licence
  • $1 – Average price of US Social Security Number

Why are Magecart Skimming Breaches Becoming More Frequent?

In order to operate and grow a business, organizations need websites. In this day and age, if you do not have a website, you are extremely restricted in your sales opportunities. In addition, with the COVID-19 pandemic and the continuing shift to online shopping, if customers can’t complete digital transactions with you, it is unlikely that they will do business with you. It’s now the norm for businesses to have login pages, e-commerce pages, shopping carts, and other web applications to make it easy for customers to consume their products and services. 

To the vast majority of people shopping on the web (a.k.a. the majority of our population) conducting online business is relatively easy and safe. 

However, the reality is somewhat different. 

Today, websites and web applications are assembled by third-party scripts and code libraries to implement business-driven functionalities and features such as analytics, marketing retargeting ads, live chats, forms, or shopping carts. Modern web developers use third-party scripts to speed up application and website development since building websites and web apps from scratch is cost prohibitive. The problem with third- or fourth-party scripts is that they are built by developers of varying capability levels and a lot of the time are built without security in mind. So many third-party scripts leave organizations vulnerable to skimming attacks. 

Skimming of data takes place directly on the visitor’s browser, which is outside the organization’s security perimeter, and outside of the purview of the security team. The majority of security operations technologies including data loss prevention (DLP) systems, code scanning, and web application firewalls are completely blind to skimming breaches. 

The majority of skimming attacks are discovered weeks or even months after the damage has been done. Businesses that are victims of a skimming attack generally have no visibility across all of their client-side web assets, and end up having to clean-up a bitter mess caused by a client-side security incident, of which the post-breach costs can reach hundreds of millions of dollars.

What Can I Do to Protect My Business and My Customers? 

Regardless if you are a marketer, a customer service professional, a security professional, or an application developer, you are responsible for protecting your most critical assets—your customers. In order to grow your business and avoid costly data breaches, it’s your responsibility to prevent Magecart and other skimming attacks, and the associated data exfiltration. The dangers that come through the client side are significant, as are the historic challenges to defeat them—complexity, a lack of visibility, and an inability to uncover, remediate, and prevent client-side security threats. But with knowledge of what is needed, it can be done and not just said. 

To learn how to detect and prevent skimming attacks, please download our white paper.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.