A criminal Magecart gang successfully compromised hundreds of e-commerce websites via a malicious script that silently harvested personal data and payment card information as customers bought goods and services online.

Rather than specifically target individual websites, the hackers audaciously hacked a third-party Javascript library from French advertising network Adverline, allowing the malicious skimming code to run on at least 277 websites.

According to researchers at Trend Micro and Risk IQ, websites affected by the breach at Adverline included ticketing, travel and flight booking services as well as online stores selling cosmetic, healthcare and apparel products.

The fundamental problem is this – just about every website uses third-party Javascript used by other people. It’s an easy way to add functionality to a site with no coding required. A very common example is Google Analytics, used by many millions of websites to provide webmasters with a way of collecting web traffic statistics.

But Javascript is very powerful. It can do things inside your browser that may make you uncomfortable, such as modifying, reading and exfiltrating any information displayed or entered onto a webpage.

Your company may have security in place to prevent hackers from successfully breaking into your systems. But with a Magecart-style attack, they haven’t directly compromised your IT infrastructure. Instead, they have poisoned a third-party script used by your website. It’s equivalent to poisoning a water supply upstream from where it’s being drunk.

Furthermore, the exploitation of the Adverline ad network underlines a tactic often seen in Magecart attacks. Criminals will take advantage of the fact that a typical website’s security team is more likely to be fully-staffed during the working week and left less well-defended at other times. Often exploitation appears to take place at weekends or — in this case — between January 1st and January 5th, (Read more...)