Shopping cart malware, known as Magecart, is once again making headlines while plying its criminality across numerous ecommerce sites. Its name is in dishonor of two actions: shopping carts, and more specifically, those that make use of the open-source ecommerce platform Magento. Magecart malware compromises shopping carts in such a way that credit card data collected by the cart is transmitted to cybercriminals, who in turn resell this information to other bad actors.
Magecart is aided by a few unfortunate trends:
1. Most ecommerce sites don’t properly vet their shopping cart code, so the hackers can substitute or inject malicious web pages into it.
- As software supply chain attacks proliferate, hackers can gain control over disused Github projects and plant their malware there, letting someone distribute it across the internet. This is a well-known problem, where the Financial Stability Board reported on outsourcing and third-party relationships. They found a lack of transparency and a level of complexity that made it difficult to vet these supply chains.
- Magecart uses so-called bulletproof hosting providers. These have three different types: those using stolen/compromised assets, those with short-term domain leases, and providers leveraging their own data center or co-location. Criminal groups are getting better at moving their hosting infrastructure between the bulletproof and legit providers to further confound trackers.
- Finally, Magecart shares code and indicators of compromise with “traditional” ATM skimmers. These collect credit and debit card data and aggregate it for the criminals, in a very similar way in which Magecart works with the online shopping sites. One such “collector” site is AllWorld Cards, on which researchers found almost one million card holders’ data being sold on the dark web. What’s especially sad about this card cache is that more than half of the cards are still operational.
Historical attacks related to Magecart
Looking back at the last several years, there have been a variety of attacks with connections to Magecart:
- Ticketmaster’s UK operations (January 2018)
- British Airways (and subsequent fines) (August 2018)
- NewEgg electronics retailer (September 2018)
- Shopper Approved (September 2018)
- Topps sports collectable website (November 2018)
- MyPillow and Amerisleep (March 2019)
- Atlanta Hawks fan merchandise online store (April 2019)
- Hundreds of college campus bookstores (April 2019)
- Forbes magazine subscribers (May 2019)
- NutriBullet (February 2020)
- WordPress/WooCommerce attacks (May 2020)
- Favicon code injection attack (May 2021)
Add to this list an attack targeting reCAPTCHA earlier this month, and it’s clear to see that Magecart activities continue to pose a threat to a variety of organizations and industries. Researchers have found that the attackers are also constantly refining and evolving their tactics. They have branched out beyond Magneto-based online storefronts and are developing other malicious scripts using ad servers to infect banners, spending time analyzing their targets and logic flows. Still, they aren’t perfect: Back in December 2020, researchers found one of the Magecart-like versions accidentally leaked data of 41 of its victims.
How can you stay protected against Magecart attacks?
If your business has an online storefront, how can you avoid being compromised? First off, you should identify your third-party ecommerce code, including your online advertising vendors. You could even require them to audit the code that they supply for your storefront to ensure it is malware-free.
Second, make the effort to host as many of your third-party scripts on your own infrastructure. This could be a challenge, given that the average ecommerce site uses code from dozens of different sources. British Airways found out that their Magecart attack was based on a baggage claim server that was hosted externally, for example.
Next, use these tips to check if a site has been compromised, along with other tips to vet the legitimacy of websites. You can also head over to our free Avast Hack Check tool to see if any of your website login credentials have been leaked. If so, change your password on that site immediately.
Finally, make sure you apply software updates as soon as possible. Magento users who were compromised by early attackers delayed these updates, which allowed the attackers to find and take advantage of the outdated versions. Take this as a lesson to prioritize updates — we’ve put together a few key reasons to update your software.
*** This is a Security Bloggers Network syndicated blog from blog.avast.com EN authored by Avast Blog. Read the original post at: https://blog.avast.com/an-overview-of-magecart-attacks-avast