Halloween is upon us, bringing with it ghosts, wizards, curses, and other dark creatures. It’s a good reminder to organizations to make web security choices that will scare away the latest threat haunting websites — Magecart. The web skimming attacks carried out by the cybercrime syndicate known as Magecart has recently made headlines, highlighting that protecting personal data in the browser is an absolute necessity.
The newest dark lord has emerged
Magecart attacks have largely gone unnoticed within the security world despite their growing prevalence in eCommerce or other industries that collect credit card information from customers. But the days of lurking in the shadows are over, Magecart has become a threat that customers, companies, and government agencies can no longer ignore — the FBI recently issued an official warning to businesses about the dangers of e-skimming, also known as web skimming, or Magecart attacks.
If your web security solutions are leaving gaps in your security perimeter, such as code in the browser unprotected, the consequences could be more blood chilling than finding a ghoul in your closet.
British Airways was slapped with a $230M fine after Magecart attackers stole data from hundreds of thousands of its customers in a massive breach in 2018. Attackers were able to insert around 22 lines of code into the airline’s website, allowing them to capture customer credit card numbers and other sensitive pieces of information from approximately 500,000 customers.
Avadata exfiltration — how Magecart operates
To do this, web skimming attacks typically follow a well-established pattern. They must achieve three things to be successful:
- Attackers plant malicious skimming code somewhere on your website, mainly focusing on web form fields where sensitive information is collected.
- Once the script has been infected and planted on your website — it’s game over. The skimmer code steals information from customers as they enter it into a page — and then it’s sent back to Magecart attackers.
Early Magecart attacks focused on attacking the website itself, looking for vulnerabilities within a site that allowed attackers to upload their code. However, more recent attacks have evolved to focus on launching browser-based attacks that leverage scripts from third-party vendors, which have weaker security in place and provide them with easier ways to access larger and more valuable enterprise targets.
Your standard book of spells is probably falling short
One of the most challenging parts of trying to defeat this dark lord is that Magecart is extremely difficult to detect. Web skimming attacks do not take place on your backend infrastructure, but directly in a visitor’s browser. In traditional data-theft attacks, there are traffic logs or flags raised when unusual activity is detected.
In almost all cases of Magecart detection, discovery is achieved only when the company is alerted to credit card fraud and a code review takes place. RiskIQ estimates that Magecart has been implicated in over two million web skimming attacks to date — but the reality is the number could be much higher.
Stopping Magecart requires constant vigilance! (and web skimming protection)
Today’s modern technology has given rise to a threat landscape full of constantly evolving threats that is making everyone a potential target. As attackers continue to focus more on the client, organizations will need to show constant vigilance when it comes to script and browser vulnerabilities — or leave themselves open to risk.
Forrester Research suggests the following steps to protect your web applications against browser-based threats:
- Regularly analyze all of your own website scripts throughout the development lifecycle
- Implement client-side protections such as web skimming or malware protection
- Deploy a bot management solution that is able to detect and defend against sophisticated botnets that result from browser-based attacks.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Andy Wyatt. Read the original post at: https://instartstage.wpengine.com/blog/defense-against-the-dark-arts-of-web-skimming