2019 is barely over, but it is already set the highest record of "Magecart-style" e-skimming breaches. Macy's, Procter & Gamble, Sixth June, American Cancer Society, Baseball Hall of Fame, Smith & Wesson, Magento Marketplace, and Volusion e-commerce platform are some of the Magecart’s recent victims. E-skimming infection code was also found hosted on the Salesforce Heroku Cloud, in Amazon S3 buckets, Amazon CloudFront CDN, and other content delivery networks. Magecart skimming code was also found to be impersonating a legitimate security firm Sanguine Security as a way to disguise itself.

RiskIQ believes that more than 17,000 websites were breached by e-skimmers in 2019. A huge increase from an estimated 6,000 website breaches between 2015 and 2018, according to the 2018 report from Flashpoint and RiskIQ.

In brief, web skimming attacks, also known as digital skimming, formjacking, and e-skimming breach modern web apps, websites, and in some cases, mobile apps use compromised third-party JavaScript code. This gives attackers unrestricted access to sensitive data such as credit/payment card information, billing data, financial records, user login IDs and passwords, which later are sold on the dark web.

There are steps you can take to prevent this from happening.

Skimmers have been actively updating their techniques. In 2019, we saw e-skimming attacks reach the highest volume and new levels of innovation and creativity. Notably, they began using legitimate cloud services like those offered by Amazon CloudFront, Salesforce Heroku, CloudCMS, Volusion, Adobe Magento, and many others. In this article, I will share some of the most notable attack trends and backdoors of the year:

1. Third-party JavaScript libraries

It's often a lot easier to infect a third-party JavaScript code because it's not part of internal security oversight while that third-party script runs in the browser with an unrestricted level of access to sensitive data. Magecart groups are increasingly targeting popular third-party JavaScript libraries that enable typical functionalities for sales, marketing, customer support functions including chat, share on social media buttons, marketing analytics, digital ad retargeting, tag managers, sign-up forms and various other tools.

2. Drive-by skimming

Additionally, attacking third-party tools allows hackers to penetrate to almost all the customers of the target, gaining the same level of unrestricted access to the their customer’s websites and the data. Attacks based on open-source libraries and third-party code can hit thousands of companies in one shot as discovered by security researcher Willem de Groot in the Picreel and CloudCMS breaches that infected more than 4,600 websites. This type of attack is commonly called "drive-by skimming."

3. Sideloading and Chain-loading

Sideloading and chain-loading techniques allow actors to load JavaScripts code with skimming infection on target web pages using legitimate scripts and tools. For instance, Magecart Group 12 breached at least 277 e-commerce websites by adding e-skimming code to Adverline JavaScript library, a third-party digital ad platform. Adverline’s retargeting script was then sideloaded with a skimming code, which skimmed and sent customer data to a remote server. E-skimming breaches via sideloading can go undetected for a long time because infected code is loaded directly by web browsers well outside of the security edge.

4. Cloud-hosted skimming

E-skimming code was found to be hosted by popular cloud platforms, including Salesforce Heroku and Amazon CloudFront CDN. Jérôme Segura of Malwarebytes reported that they spotted a malicious injection that loaded e-skimmer for the Washington Wizards page on the official NBA.com website. Magecart e-skimmers were found to be using spray and pray approach targeting misconfigured Amazon S3 buckets giving them backdoors for inserting malicious code into JavaScript libraries used by thousands of organizations.

5. Wolf in sheep's clothing - Disguise and impersonation

Recently, Magecart-style attackers impersonated a legitimate security firm Sanguine Security to evade detection during its attack on Smith & Wesson. Sanguine Security identified and remediated it very quickly.

6. Skimming via public Wi-Fi hotspots

The catch-all type of e-skimming compromise was found on public Wi-Fi hotspots by IBM researchers. This gives attackers access to a large number of users in public spaces, including airports and hotels. Skimming code is inserted via Wi-Fi hotspots allowing theft of information from all web forms, not just checkout pages, because the compromise via Wi-Fi routers allows attackers automatically injecting skimming scripts into all websites accessed by users through those devices.

7. E-commerce platforms

Some of the world's most popular e-commerce platforms like Volusion and Adobe Magento Marketplace have been breached by Magecart e-skimming code. These e-commerce platforms provide checkout services for about 30,000 and 250,000 merchants respectively giving access to a massive amount of account information. Thousands of online stores have been confirmed to be compromised during the Volusion platform hack that was undetected for about a month. It's possible that every e-commerce store on the platform might have had payment data skimmed.

8. Bonus: Anti-forensic, self-cleaning, and stealthy data skimmers

Pipka, a JavaScript-based e-skimmer, was found by researchers from Visa's Payment Fraud Disruption (PFD) this year. It uses anti-forensics techniques such as removing itself from the web page's code after execution. Pipka was found on at least 16 websites in October alone.

For instance, Magecart used a two-stage skimming attack in the American Cancer Society website breach.

  • Stage 1 was analyzing types of web pages it is loaded on until it's loaded on a checkout page. Once it identified the page as a "checkout," then Stage 2 was activated.

  • Stage 2 - e-skimming code was loaded from a server hosted in Irkutsk, Russian using sideloading techniques described above.

How to defend against web skimming

  • Hardening defenses and tamper detection is the key.

  • The zero-trust model is probably the best defense against web skimming attacks. That means preventing all JavaScript from unauthorized access of sensitive data at the browser-level. Continuously analyze all scripts from the client-side for presence activities consistent with web skimming breaches, i.e., access form fields, sending out data from browsers, sideloading, and chain loading JavaScript code that you didn't authorize.

  • Introduce central control over which third-party scripts are allowed to be loaded on each web page. Block and don't permit the browser to load unwanted sideloaded and chain loaded scripts.

  • Don't permit sensitive form fields being access by unauthorized JavaScript code

  • Automate your web security operations to detect e-skimming attacks in seconds instead of months or quarters. Relying on quarterly or annual vulnerability assessments exposes companies to long breach windows.

Defense in depth by design

No alt text provided for this image


Read the next article to learn about the top three emerging trends in e-skimming and new industries that Magecart will likely attack this year.

And, if you are interested in automating your SecOps and hardening your skimming defenses please don't hesitate to check our site www.feroot.com and feel free to ask questions or ask for help.