What are Magecart attacks and how can they affect a company?

Magecart is a rapidly growing cybercrime, that comprises dozens of subgroups that specialise in cyberattacks involving digital credit card theft by skimming online payment forms.

It is a style of cyberattack in which hackers compromise third-party code (typically Javascript that runs in browsers) to steal, or scrape, information such as credit card data from web applications (e.g. online checkout software) or websites that incorporate the code. Web skimming continues to be a real threat to online merchants and shoppers with attacks severely impacting organisations including British Airways and Ticketmaster in 2018, Forbes magazine in 2019, plus local US government portals and messaging service Telegram 2020. 

Magecart works by operatives gaining access to websites either directly or via third-party services and injecting malicious JavaScript that steals data shoppers enter into online payment forms, typically on checkout pages.

Magecart operatives either breach sites directly or via supply chain attacks. Supply chain attacks target third parties that supply code to websites. These third parties integrate with thousands of websites, so when one supplier is compromised, Magecart has effectively breached thousands of sites at once.

Some of the worlds largest companies are at risk 

Cyberpion, a cybersecurity pioneer in external attack surface management (EASM), revealed that some of the world’s largest companies across retail, banking, healthcare, energy, and many other sectors, including Fortune 500, Global 500, and governments are failing to prevent Magecart attacks. 

The research analysed more than 30,000 Magecart vulnerabilities over the last two years and found weaknesses in modern security platforms and processes to identify and mitigate Magecart exploits. More than 10,000 Magecart vulnerabilities are still active. 

There were also lapses in enterprises disclosing security vulnerabilities or exploits occurring along their digital supply chains to their customers, ultimately placing all connected organisations at severe risk of a critical breach. 

What did the research find? 

Highlights from the research include: 

• At least one of the top five enterprises in many verticals—retail, insurance, financial services, pharma, media, security and others—were found to be vulnerable or abused. 
• More than 1,000 online shops are vulnerable, exposing their customers to skimming. Some of the most popular international newspapers were found to be vulnerable, often via their home page 
• Lesson not learnt: The exact vulnerability that led to Magecart’s data breach on British Airways could easily be replicated on the sites of other global aviation companies, despite being a simple fix.  
• Some vulnerable or abused companies do use anti-Magecart solutions, but these could be bypassed.
• Vendor infrastructure exposes many other connected organisations to Magecart, yet vendors often fail to inform them about it early enough in order for them to take preventative action. In one case, a leading online advertising network affected 15 global insurance brands alongside hundreds of other enterprises. 

“Our conclusion from the analysis is that as of today, organisations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. Victims are often the last to know as it’s only later that organisations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.”