How to prevent Magecart attacks
E-commerce is booming, so are Magecart attacks
The global e-commerce economy continues to grow with nearly $26.7 trillion spent in 2020. Website owners have an obligation to protect their sites, their data, and their customers to ensure the integrity of online transactions. They face increasing pressure to safeguard against browser-side attacks like Magecart.
When Magecart attacks first began back in 2015, they primarily targeted open-source Magento e-commerce platforms. Today, no online shopping platform is safe. In fact, one multi-functional script was found to have been coded to collect data from an incredible 57 different payment platforms. These attacks are part of a massively growing trend of targeting browser-side website vulnerabilities to launch JavaScript card skimming attacks. There is clearly a lot at stake.
Ultimately, trust matters in e-commerce. Without it, customers will alter their purchase preference. According to a survey, 62% of consumers have abandoned an online transaction due to concerns over security. As such, website owners must do all they can to ensure the integrity of e-commerce. Despite these concerns it seems security is lagging as evidenced by Dark Reading publishing that 2 million websites are infected with skimmers on the cusp of the 2019 holiday shopping season.
Understanding that security fosters trust, a Shopify partner offered a number of recommendations for ensuring website security. Shopify operates as the world’s 2nd largest e-commerce platform and the set of prescriptive advice for ensuring the security and integrity of online commerce provides a good framework for website owners to consider as they endeavor to secure their web assets. The following recommendations have been extracted directly from the article.
13 ways to start building Magecart protection
| Feature | Explanation |
| Security must be part of the development process |
Security should integrate with CI/CD pipelines and provide risk analysis before deploying in production environments |
| Use a modern framework that handles security automatically |
Consider automation to assist customers with deploying industry-standard security functionality |
| Avoid typical XSS mistakes |
Content Security Policy (CSP) covers a wide range of XSS attacks |
|
Consider Trusted Types |
Trusted Types safeguard against XSS attacks by allowing the locking down of dangerous injection sinks. |
| Consider using textContent instead of innerHTML |
Identify all uses of innerHTML within the web app and replace with textContent |
| Compartmentalize your application |
Website architecture dependent |
| Be careful when using Google Tag Manager |
Define the relationship/ownership of Tag Management between organizational security and marketing functions |
| Be more selective with third-party scripts |
Create and continuously monitor a comprehensive inventory of third-party scripts |
|
Audit your dependencies |
Website architecture dependent |
| Use Sub-resource Integrity for third-party CDN hosting |
SRI provides a hashing function to ensure site integrity |
| HTML encoding is not enough |
Protect against XSS and other advanced threats |
| Implement CSP |
CSP offers standards-based security defined as sophisticated allowlists for effective security. CSP is best when used in conjunction with other security mechanisms to provide an effective defense-in-depth mechanism. |
| Be mindful of what you’re exposing |
Create an inventory and map all user data that is exposed to third-parties |
The recommendations above are a good starting point for implementing website security. However, many organizations can become quickly overwhelmed with the perceived complexity of some of these recommendations. As such, considering a vendor that can assist with the activation of these capabilities can accelerate deployment of this key functionality and reduce the administrative burdens on often over-burdened staff.
Tala automates standards based security
Tala Security is such a vendor and protects modern websites and web applications from critical and growing threats, such as cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. Tala prevents attacks by automating the deployment and dynamic adjustment of standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards.
The activation of these browser-native security controls provides comprehensive security without requiring any changes to the application code and with no impact to website performance. Tala’s product is powered by an AI-assisted analytics engine that evaluates over 150 security relevant indicators to automate the generation, implementation and updating of security policies. Tala also provides customers with streamlined alert analytics and incident management. Today, Tala serves large enterprises in verticals such as financial services, online retail, payment processing, hi-tech and fintech.
Tala offers a compelling set of capability for immediately addressing the above-referenced website security capability set.
*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Sanjay Sawhney, Co-Founder and VP of Engineering. Read the original post at: https://go.talasecurity.io/blog/how-to-prevent-magecart
