How to protect your data from Magecart and other e-commerce attacks

In today’s golden age of online shopping, consumers take to the Internet, punch in a few credit card details, and happily receive products at their doorstep, safe in the knowledge that their online vendor is well-known, vetted, and therefore their website has to be secure, right? Dut did you know that hackers can steal your credit card details with only a few lines of JavaScript?

Attacks on websites with the purpose of collecting user submitted data are hardly new. Magento, the open-source e-commerce platform, has been the target of such hacks for years.

By compromising websites that are also used as payment platforms, harvesting credit card numbers and other private, personally identifiable information (PII) on-the-fly is a surprisingly easy and lucrative process.

In a sense, this is the digital equivalent of credit card skimming, a process of grabbing someone’s credit card details at a physical ATM. In the same fashion that criminals can tamper with the ATM, so too can they with a website’s checkout page.

In recent months, there has been a steady increase of such attacks going after smaller websites and major companies alike. This blog post will review some of the most recent events we’ve witnessed, and offer some mitigation techniques for a threat that intends to fly under the radar.

Third-party compromises

Attackers can compromise a website using many different techniques, often by exploiting vulnerabilities or weak passwords. When that is not possible, they often target a third-party library that the site relies on, which perhaps is not as secure.

An added benefit of third-party compromises is the scalability of the attack. By hacking into one provider, you can affect an entire group of websites that depend on it.

The malicious code below was appended to a legitimate and trusted script in an obfuscated format. This is the work of Magecart, the name given to a group of threat actors responsible for several high profile attacks recently.

After decoding the script, we can see the code responsible for harvesting the data when customers hit the checkout button. At the network level, this looks like a POST request where each field (name, address, credit card number, expiry date, CVV, etc.) is sent in Base64 format to the rogue server (info-stat[.]ws) controlled by the criminals:

This kind of attack happens transparently to both the merchant and customer. In contrast to breaches that involve leaked databases where the information may be encrypted, web skimmers are able to collect your data in clear text and in real-time.

British Airways case

Between August and September 2018, British Airways suffered a Magecart attack for 15 days, which was highly targeted so as not to raise suspicions from site visitors or administrators.

A JavaScript library was tampered with and mixed into the payment flow in a way that blended it seamlessly into the background. In fact, the script itself was loaded in from the baggage claims information page and the attackers even paid for an SSL certificate for the server to which they sent stolen data. They could have used a free certificate like so many other scammers do, but they likely wanted to avoid red flags and make everything look as legitimate as possible. If they hadn’t taken so many precautions, they may well have been discovered a lot earlier.

In terms of data stolen, the attackers managed to claim both PII and payment details. The attack was so comprehensive that Magecart was even able to swipe data from mobile app users, due to portions of the site loading inside the app itself and the attackers ensuring they had a few pieces of mobile-specific code ready and waiting.

That they were able to pull off such an attack, alongside having so much internal access to the British Airways site itself, is deeply alarming. It isn’t just payment information being made available to airlines on a daily basis—it’s passport details, birthdates, and other incredibly personal information. Thankfully, British Airways confirmed that no travel data was taken. But in terms of potential fallout, including the inevitable post-attack data leaks and blackmails attempts—this attack above all others could have been catastrophic.

Mitigations

There is no silver bullet in preventing web-skimming attacks, but there are still measures that can be taken to mitigate the risks.

Merchants (server-side)

Operating an e-commerce website comes with certain responsibilities, especially if payment information is handled through it. It is usually a safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. PCI compliance and risks associated with collecting data can be overwhelming, especially for site owners that would rather focus on the business side of things.

There are too many aspects of website security to cover here in how to keep your own site from getting hacked, so instead we will focus on a third-party compromise scenario.

Third-party resource integrity checking is one security aspect that has been overlooked but can provide great benefits when loading external content. The reality is that a website usually cannot host all the content itself, and it makes more sense to rely on CDNs and other providers for speed and cost reasons.

This relationship does not necessarily mean having to weather the issues experience by a third party. While in this post we have focused on credit card stealers, there are a number of other threats that can be disseminated via third-party libraries. For this reason, implementing safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help to mitigate many issues.

Consumers (Client-side)

One thing to keep in mind as consumers is that we are largely placing our trust in the online stores where we are shopping. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones. Of course, with cases like British Airways or Newegg, this piece of advice shows its limitations.

Using browser plugins such as NoScript can prevent JavaScript loading from untrusted sites and therefore reduces the surface of attack. However, it has the same shortcomings when malicious code is embedded in already trusted resources.

Magecart and other web skimmers can be mitigated at the exfiltration layer, by blocking connections to known domains and IPs used by the attackers. It is not full-proof, though, considering how trivial it is to register new properties. But infrastructure reuse is something we still see quite often.

We will continue monitoring these threats and add related indicators of compromise (IOCs) to our database to protect our Malwarebytes customers.