How Magecart e-skimming attacks are accelerating

25 May 2021
Many of us have heard of Macy's, Ticketmaster, Smith & Wesson or countless other organizations being breached by Magecart-style digital skimming attackers. Magecart attacks were confirmed to successfully breached at least 19,000 domains in 2019. Numbers show that Magecart attacks are accelerating — especially during the holiday shopping season. Magecart attacks were confirmed to successfully breached at least 19,000 domains in 2019 alone. Macy’s, Ticketmaster, American Cancer Society, P&G's First Aid Beauty, British Airways, Newegg, and many organizations have reported digital skimming breaches. However, the vast majority of skimming victims are small and medium-sized organizations with 50 to 1000 employees. But that doesn’t mean you can’t do anything to prevent your customers’ data from being stolen by web skimming criminal groups. Let’s take a closer look.
Magecart is a commonly used name for loosely affiliated groups that use digital skimming, or e-skimming techniques, to steal customer data.

What is Magecart?

Magecart web skimming, (aka digital skimming, e-skimming, formjacking) attacks take advantage of the browser-level unrestricted access to sensitive data and lack of control of the JavaScript code executed by a website in the browsers. Magecart attacks steal payment card information, billing data, and other data including user login credentials to be monetized, including being sold on the dark web.

What is a Magecart attack?

While prices fluctuate and depend on many variables the below summary will give a broad picture of commercial models and monetization of stolen data: #### Credit cards * ~$1,000 – for a credit card with a $15,000 limit * ~$800 – for a credit card with a $10,000 limit * ~$450 – for a credit card with a $5,000 limit * ~$45 – for an average (untested) credit card #### Online accounts * ~$20-$200 - Online payment ID (PayPal, etc) * ~$20 - Loyalty Accounts * ~$1-$10 – Online Subscription Services #### Other * ~$1,000 - $2,000 – Passports * ~$20 - Drivers Licence * ~$1 - the average price of US SSN

How much does customer data cost on the dark web?

Attackers add skimming code directly or side-load it through the first or third-party script that is used by the target website. The skimming code is executed by browsers giving it the ability to steal sensitive information including recording keystrokes in the form fields and sending it back to attackers.

How does Magecart digital skimming attack work?

As more and more companies do business online, websites that host pages requiring customer information are nearly everywhere. It’s now very common to find customer login, credit card payment, and account sign-up pages on almost every business web page, whether it is an e-commerce, healthcare provider, or media company’s site. Third-party scripts and libraries are often used to implement business-driven functionalities and features like analytics, marketing retargeting, live chat, forms, or shopping carts. Modern web development makes the use of third-party controlled scripts very common if unavoidable at all. These scripts also leave many organizations vulnerable to skimming attacks.

Why are Magecart skimming breaches are becoming more frequent?

Because e-skimming of data takes place directly inside of the visitor’s browsers which is outside the organization’s security operations, keeping sec-ops solution including DLP systems, code scanning, and web application firewalls blind to skimming breaches. The majority of skimming attacks are discovered weeks or months after the damage has been done with victim organizations being responsible for the post-breach costs that can reach hundreds of millions of dollars.
Successful skimming usually relies on one or more weaknesses on either the target website being exploited or third-party code being loaded by the target website. When an attacker finds a backdoor, they insert a skimming code that will have access to form fields that process the target data. Skimming code records users’ input including recording keystrokes and sends it to an external server controlled by attackers.

How to defend?

While no approach can guarantee 100% security, a well-executed zero-trust model with detection and prevention of browser-level skimming attacks can help eliminate the majority of Magecart breaches. #### Defense in Depth


By adopting a zero-trust approach to both, the first-party and third-party JavaScript code, you will be able to prevent or significantly minimize the threat. With the zero-trust model in place, even when any of the code gets infected by a Magecart, the skimming script won’t be able to access valuable data. #### Detection Detection of skimming intrusion and vulnerabilities that are commonly exploited in skimming attacks looks for security configuration gaps and unsafe practices throughout the web page that process valuable data. Magecart prevention-focused security inspection should: * determine whether skimming protection safeguards are in place * examine whether the security access controls present any hazards to customers’ data * gather data JavaScript inventory, samples of data access in form fields, and data transfers from user’s browsers to external destinations * observe browser-level activities of code to identify malicious actions
And if you are interested in automating your SecOps and hardening your skimming defenses please don't hesitate to check our site and feel free to ask questions or ask for help.

Ivan Tsarynny

CEO and co-founder of Feroot Security, Member GDPR Advisory Committee at Standard Council of Canada, and is based in Toronto, Canada.

Start Free Protection Today

Your real-time cyber defense platform for web apps and website to help you stay safe