Many of us have heard of Macy's, Ticketmaster, Smith & Wesson or countless other organizations being breached by Magecart-style digital skimming attackers.
Magecart attacks were confirmed to successfully breached at least 19,000 domains in 2019.
Numbers show that Magecart attacks are accelerating — especially during the holiday shopping season. Magecart attacks were confirmed to successfully breached at least 19,000 domains in 2019 alone. Macy’s, Ticketmaster, American Cancer Society, P&G's First Aid Beauty, British Airways, Newegg, and many organizations have reported digital skimming breaches. However, the vast majority of skimming victims are small and medium-sized organizations with 50 to 1000 employees. But that doesn’t mean you can’t do anything to prevent your customers’ data from being stolen by web skimming criminal groups. Let’s take a closer look.
What is Magecart?
Magecart is a commonly used name for loosely affiliated groups that use digital skimming, or e-skimming techniques, to steal customer data.
What is a Magecart attack?
How much does customer data cost on the dark web?
While prices fluctuate and depend on many variables the below summary will give a broad picture of commercial models and monetization of stolen data:
~$1,000 – for a credit card with a $15,000 limit
~$800 – for a credit card with a $10,000 limit
~$450 – for a credit card with a $5,000 limit
~$45 – for an average (untested) credit card
~$20-$200 - Online payment ID (PayPal, etc)
~$20 - Loyalty Accounts
~$1-$10 – Online Subscription Services
~$1,000 - $2,000 – Passports
~$20 - Drivers Licence
~$1 - the average price of US SSN
How does Magecart digital skimming attack work?
Attackers add skimming code directly or side-load it through the first or third-party script that is used by the target website. The skimming code is executed by browsers giving it the ability to steal sensitive information including recording keystrokes in the form fields and sending it back to attackers.
Why are Magecart skimming breaches are becoming more frequent?
As more and more companies do business online, websites that host pages requiring customer information are nearly everywhere. It’s now very common to find customer login, credit card payment, and account sign-up pages on almost every business web page, whether it is an e-commerce, healthcare provider, or media company’s site.
Third-party scripts and libraries are often used to implement business-driven functionalities and features like analytics, marketing retargeting, live chat, forms, or shopping carts. Modern web development makes the use of third-party controlled scripts very common if unavoidable at all. These scripts also leave many organizations vulnerable to skimming attacks.
Because e-skimming of data takes place directly inside of the visitor’s browsers which is outside the organization’s security operations, keeping sec-ops solution including DLP systems, code scanning, and web application firewalls blind to skimming breaches.
The majority of skimming attacks are discovered weeks or months after the damage has been done with victim organizations being responsible for the post-breach costs that can reach hundreds of millions of dollars.
How to defend?
Successful skimming usually relies on one or more weaknesses on either the target website being exploited or third-party code being loaded by the target website.
When an attacker finds a backdoor, they insert a skimming code that will have access to form fields that process the target data. Skimming code records users’ input including recording keystrokes and sends it to an external server controlled by attackers.
While no approach can guarantee 100% security, a well-executed zero-trust model with detection and prevention of browser-level skimming attacks can help eliminate the majority of Magecart breaches.
Defense in Depth
Detection of skimming intrusion and vulnerabilities that are commonly exploited in skimming attacks looks for security configuration gaps and unsafe practices throughout the web page that process valuable data.
Magecart prevention-focused security inspection should:
determine whether skimming protection safeguards are in place
examine whether the security access controls present any hazards to customers’ data
Observe browser-level activities of code to identify malicious actions