2019 is barely over, but it is already set the highest record of "Magecart-style" e-skimming breaches. Macy's, Procter & Gamble, Sixth June, American Cancer Society, Baseball Hall of Fame, Smith & Wesson, Magento Marketplace, and Volusion e-commerce platform are some of the Magecart’s recent victims. E-skimming infection code was also found hosted on the Salesforce Heroku Cloud, in Amazon S3 buckets, Amazon CloudFront CDN, and other content delivery networks. Magecart skimming code was also found to be impersonating a legitimate security firm Sanguine Security as a way to disguise itself.
RiskIQ believes that more than 17,000 websites were breached by e-skimmers in 2019. A huge increase from an estimated 6,000 website breaches between 2015 and 2018, according to the 2018 report from Flashpoint and RiskIQ.
There are steps you can take to prevent this from happening.
Skimmers have been actively updating their techniques. In 2019, we saw e-skimming attacks reach the highest volume and new levels of innovation and creativity. Notably, they began using legitimate cloud services like those offered by Amazon CloudFront, Salesforce Heroku, CloudCMS, Volusion, Adobe Magento, and many others. In this article, I will share some of the most notable attack trends and backdoors of the year:
2. Drive-by skimming
Additionally, attacking third-party tools allows hackers to penetrate to almost all the customers of the target, gaining the same level of unrestricted access to the their customer’s websites and the data. Attacks based on open-source libraries and third-party code can hit thousands of companies in one shot as discovered by security researcher Willem de Groot in the Picreel and CloudCMS breaches that infected more than 4,600 websites. This type of attack is commonly called "drive-by skimming."
3. Sideloading and Chain-loading
4. Cloud-hosted skimming
5. Wolf in sheep's clothing - Disguise and impersonation
Recently, Magecart-style attackers impersonated a legitimate security firm Sanguine Security to evade detection during its attack on Smith & Wesson. Sanguine Security identified and remediated it very quickly.
6. Skimming via public Wi-Fi hotspots
The catch-all type of e-skimming compromise was found on public Wi-Fi hotspots by IBM researchers. This gives attackers access to a large number of users in public spaces, including airports and hotels. Skimming code is inserted via Wi-Fi hotspots allowing theft of information from all web forms, not just checkout pages, because the compromise via Wi-Fi routers allows attackers automatically injecting skimming scripts into all websites accessed by users through those devices.
7. E-commerce platforms
Some of the world's most popular e-commerce platforms like Volusion and Adobe Magento Marketplace have been breached by Magecart e-skimming code. These e-commerce platforms provide checkout services for about 30,000 and 250,000 merchants respectively giving access to a massive amount of account information. Thousands of online stores have been confirmed to be compromised during the Volusion platform hack that was undetected for about a month. It's possible that every e-commerce store on the platform might have had payment data skimmed.
8. Bonus: Anti-forensic, self-cleaning, and stealthy data skimmers
For instance, Magecart used a two-stage skimming attack in the American Cancer Society website breach.
Stage 1 was analyzing types of web pages it is loaded on until it's loaded on a checkout page. Once it identified the page as a "checkout," then Stage 2 was activated.
Stage 2 - e-skimming code was loaded from a server hosted in Irkutsk, Russian using sideloading techniques described above.
How to defend against web skimming
Hardening defenses and tamper detection is the key.
Introduce central control over which third-party scripts are allowed to be loaded on each web page. Block and don't permit the browser to load unwanted sideloaded and chain loaded scripts.
Automate your web security operations to detect e-skimming attacks in seconds instead of months or quarters. Relying on quarterly or annual vulnerability assessments exposes companies to long breach windows.
Defense in depth by design
Read the next article to learn about the top three emerging trends in e-skimming and new industries that Magecart will likely attack this year.