Attacks and Threats

What is a Magecart Attack?

A Magecart attack (also sometimes called digital skimming or e-skimming) is a type of cyber fraud involving the exfiltration of payment information and other types of customer data from businesses selling goods or services via their website. In a Magecart attack, threat actors inject malicious code into the client side of a company’s website to enable them to steal customer data as the shopper is entering the information into the online form.

What is Magecart?

The term “Magecart” is a portmanteau of the words “Magento” (a popular, open-source, ecommerce software platform) and “shopping cart.” (The original e-skimming attacks often targeted the Magento software platform.) All Magecart attacks are a type of e-skimming. Hundreds of different threat actors and cybercrime gangs use e-skimming or “Magecart” attacks in their criminal operations

How does a Magecart attack work?

Magecart or e-skimming attacks typically follow a simple three-step process to inject skimming code into payment card processing pages of the website.

Step 1—Attackers add malicious code with skimming functions to a third- or fourth-party code (often JavaScript) that is used by the target website.

Step 2—The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user types into the form fields. Examples of sensitive information include account credentials, payment card information, and billing information, such as home address and phone number. 

Step 3—The information the user types into the form fields is sent to the threat actor’s command & control (C2) server for storage and later use.

What is the impact of a Magecart attack?

Loss of Sensitive Customer Information—Magecart attacks can involve the theft of multiple types of customer information, including credit card data and name and address. Depending on the size of the business and the scope of the attack (e.g., multiple entities targeted at once), millions of individuals could be affected.

Profit loss—Previous Magecart attacks have demonstrated that business profits will be impacted negatively due to reputation damage and loss of customer trust.

Regulatory and Compliance IssuesGovernment and industry regulations, such as the Payment Card Industry Data Security Standards (PCI DSS) and the General Data Protection Regulations (GDPR) can subject businesses to lawsuits and fines should business customers be affected by a Magecart attack.

What can businesses do to protect against Magecart attacks?

Businesses can reduce the number and impact of Magecart attacks by following these best practices:

Audit web assets: Inventory your web assets and know the type of data they hold.

Regularly scan the client side: Regularly conduct deep-dive scans into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.

Use automated monitoring and inspection: Monitoring and inspection activities are critical, but also time consuming if you don’t have an automated solution to regularly review client-side JavaScript code. A purpose-built solution that automates the process can be a fast and easy way to identify unauthorized script activity.

Maintain safe JavaScript libraries: Confirm the security of any external libraries by making sure they’re not on any blacklists. Regularly patch and update your libraries and avoid any dependence on third-party library sources.

Be selective with third-party scripts: Third-party scripts can contain vulnerabilities or intentional malicious content. Be sure to only use third-party JavaScript from known and reputable sources.

Use secure software development practices: Apply software development best practices that aid in the detection and elimination of errors early in the application development process.

Move security to the left: Ensure security is part of the entire software development process—from beginning to end—and just doesn’t happen after a web application is built or installed on a system.