Attacks and Threats

What is a Magecart Attack?

A Magecart attack (also sometimes called digital skimming or e-skimming) is a type of cyber fraud involving the exfiltration of payment information and other types of customer data from businesses selling goods or services via their website. In a Magecart attack, threat actors inject malicious code into the client side of a company’s website to enable them to steal customer data as the shopper enters the information into the online form.

Threat actors are increasingly targeting web applications with Magecart and e-skimming attacks.

What is a Magecart attack? Threat actors target web applications with Magecart and e-skimming attacks.

Who or What is Magecart?

The term “Magecart” is a portmanteau of the words “Magento” (a popular, open-source, e-commerce software platform) and “shopping cart.” (The original e-skimming attacks often targeted the Magento software platform.) All Magecart attacks are a type of e-skimming. Hundreds of different threat actors and cybercrime gangs use e-skimming or “Magecart” attacks in their criminal operations. A number of high-profile companies have been victims of Magecart and e-skimming attacks, including a major airline, department store chain, an e-commerce platform, and global event ticketing company. It is important to note, though, that while the big names make the news, most Magecart and e-skimming attacks happen to small- to medium-sized businesses.

How does an attack work?

Magecart or e-skimming attacks typically follow a simple three-step process to inject skimming code into payment card processing pages of the website.

Step 1—Attackers add malicious code with skimming functions to a third- or fourth-party code (often JavaScript) that is used by the target website.

Step 2—The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user types into the form fields. Examples of sensitive information include account credentials, payment card information, and billing information, such as home address and phone number. 

Step 3—The information the user types into the form fields is sent to the threat actor’s command & control (C2) server for storage and later use.

Industries Most Affected

Any business that uses their website to capture sensitive personal information, such as user names, passwords, credit card information, sensitive personally identifiable information (PII), health care data, etc., is a target for a Magecart or e-skimming attack. Those industries most at risk are:

Other industries also affected by these types of attacks include:

  • Real Estate
  • Technology & Cybersecurity
  • Distribution & Transportation
  • Education
  • Entertainment
  • Manufacturing
  • Energy
  • Distribution & Transportation

Attack Impacts

Loss of Sensitive Customer Information: Magecart attacks can involve the theft of multiple types of customer information, including credit card data and name and address. Depending on the size of the business and the scope of the attack (e.g., multiple entities targeted at once), millions of individuals could be affected.

Profit loss: Previous attacks have demonstrated that business profits will be impacted negatively due to reputation damage and loss of customer trust.

Regulatory and Compliance Issues: Government and industry regulations, such as the Payment Card Industry Data Security Standards (PCI DSS) and the General Data Protection Regulations (GDPR) can subject businesses to lawsuits and fines should business customers be affected by a Magecart attack.

What can businesses do to protect against attacks?

Businesses can reduce the number and impact of Magecart attacks by following these best practices:

Use automated monitoring and inspection: Monitoring and inspection activities are critical, but also time consuming if you don’t have an automated solution to regularly review client-side JavaScript code. A purpose-built solution that automates the process can be a fast and easy way to identify unauthorized script activity.

Audit web assets: Inventory your web assets and know the type of data they hold.

Regularly scan the client side: Regularly conduct deep-dive scans into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.

Maintain safe JavaScript libraries: Confirm the security of any external libraries by making sure they’re not on any blacklists. Regularly patch and update your libraries and avoid any dependence on third-party library sources.

Be selective with third-party scripts: Third-party scripts can contain vulnerabilities or intentional malicious content. Be sure to only use third-party JavaScript from known and reputable sources.

Use secure software development practices: Apply software development best practices that aid in the detection and elimination of errors early in the application development process.

Move security to the left: Ensure security is part of the entire software development process—from beginning to end—and just doesn’t happen after a web application is built or installed on a system.

Feroot Prevents Magecart and E-skimming

Client-side security is a necessary component of a comprehensive security posture and organizations need to be vigilant in their ongoing inspection and monitoring of web assets.  An automated, purpose-built solution, like Inspector, can discover and report on all JavaScript web assets and their data access. Feroot’s PageGuard solution can notify businesses of any unauthorized script activity. PageGuard adds security permissions and controls to JavaScript. Finally, DomainGuard simplifies Content Security Policy management, allowing security and development teams to focus on mission critical tasks.

Learn More

To learn more about Magecart and e-skimming attacks and how you can prevent them, check out these great resources!

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.