Decoding Magecart Attacks

The modern web is ripe for exploitation

Not so long ago, when a user visited a website, all the logic and processing happened on the server. The client device received mostly HTML and the browser or the client app would primarily be a rendering engine. Fast forward a few years and many modern web applications use client heavy frameworks such as Angular, Ember, React, Backbone, etc. When a user visits a website, the browser loads a significant amount of JavaScript from the site and executes that code directly on the client browser. It is fair to say that the browser has become the new OS. Many web apps are “Single Page Apps” that are JavaScript heavy apps making API calls to retrieve data from the server backend and visiting a modern website today is analogous to downloading an exe.

On websites today, less than 1/3 of the code is native to the website and more than 2/3 of the code loaded into the browser (tag management, analytics libraries, form builders, audio/video integration, social media, etc.) is fetched from a third party. Each integration with third-party services provides an additional opportunity for a client-side attack. Given this paradigm shift in the way modern web applications are architected, what does it mean for the enterprise to have control and secure the application and its users today?

Anatomy of a typical Magecart attack

The modus operandi of Magecart and similar attacks is to compromise a third-party piece of software on a retail website, like shopping carts, checkout pages or payment pages to steal customer data. Magecart skimmers have been detected on over two million global websites and the incidence of such attacks increased by over 20% in the early days of the pandemic. Let’s examine the techniques used in a standard Magecart attack by using the example of the popular Focus Camera hack. The attack took place in 2019 and involved the use of a skimmer to steal payment card data from Focus Camera customers using the portal. Like the infamous British Airways attack, this one involved the use of a domain that closely resembled a legitimate brand or product – in this instance “zdsassets.com”, clearly chosen to look like ZenDesk’s official “zdassets.com”. Malicious JavaScript was injected into the website, allowing the hackers to skim credit card data at the checkout.

What can website owners do?

The best defense against client-side attacks like Magecart starts with identifying how much third-party code is running on your site. The next layer comes with establishing the norms of behavior for those applications. Security standards like Content Security Policy (CSP), Subresource Integrity (SRI), HSTS, iFrame sandboxing, Referrer-policy and others protect web applications as they execute on client devices. Deploying these standards is the best way to protect your business from financial and reputation loss while maintaining a website that runs quickly and smoothly. In the case of the Focus Camera breach, standards based policies and headers would have ensured that the attack was defeated. Injecting SRI hashes into the scripts can prevent the execution of the malicious modified scripts altogether. In cases where scripts are not hashable, exfiltration of sensitive data can be prevented by deploying a very fine-grained Content Security Policy that restricts the connections made to unauthorized endpoints, such as “zdsassets.com” used in this attack.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Fighting Magecart doesn’t have to be difficult

Tala’s innovative solution ensures that all types of client-side attacks are prevented in real time, without impacting website performance. We do this by automating standards-based security, natively available in every modern browser.  This means no overhead and no impact on website performance. 

Securing websites against this accelerating attack should be an imperative for every website owner. Learn more about how Tala prevents Magecart here.