Magecart is a commonly used name for loosely affiliated groups that use digital skimming or e-skimming techniques, to steal customer data. Magecart is a tactic used by threat actors who target online shopping cart systems, usually the e-commerce Magento system, to steal sensitive customer payment card information.
Reports show that Magecart attacks accelerate mostly during Black Friday, Cyber Monday and even extend to around and after the Christmas period. It is usually small and medium-sized organisations that fall victim to skimming attacks. Despite these reports, it is not unheard of for large organisations to succumb to skimming attacks, organisations and large businesses such as Macy’s, Ticketmaster, American Cancer Society, P&G’s First Aid Beauty, British Airways, Newegg, and more have reported digital skimming breaches over the last few years.
Ticketmaster confessed that 9.4 million people’s data was “potentially affected” of which 1.5m were in the UK; 66,000 credit cards were compromised and had to be replaced, alongside this Ticketmaster admitted they are unsure how many people were affected between 25 May and 23 June 2018.
In early October 2019, Macy’s experienced a magecart data breach. Their website was compromised in and a malicious script was embedded in the ‘My Wallet’ and ‘Checkout’ pages. If payment information was sent through those pages at the time they were compromised, customer information and credit card data was also sent to the cybercriminals. A few months later, Smith & Wesson fell victim to a magecart incident, their online store was compromised by attackers who injected a malicious script that attempts to steal customers’ payment information.
2019 seemed to have a large increase in magecart incidents as Malwarebytes revealed that it had detected and blocked over 65,000 attempts to steal credit card information from online stores compromised in a Magecart attack during July 2019.
Numerous organisations conduct transactional business with their customers online through their websites. These websites host pages that require customers to enter information are and it is, common to find sensitive customer data on almost every businesses website. Threat actors can gain access to a store’s source code using unpatched software flaws in various popular e-commerce software.
Third-party scripts are often used to implement business-driven functionalities and features. Modern web development makes the use of third-party controlled scripts very common and unavoidable. These scripts can leave many organisations vulnerable to skimming attacks. Attackers add skimming code directly or side-load it through first- or third-party scripts that are used by the targeted website.
Most skimming attacks are discovered after weeks or months in operation. Successful skimming tends to count on one or more weaknesses on either the target website being exploited or third-party code that is loaded by the target website.
When an attacker finds a method to infiltrate the system, they will install a skimming code that will have open access to form fields that process the target data. Skimming code records user input and then sends it to an external command and control server that is controlled by the attacker. To detect skimming attacks, commonly exploited code vulnerabilities need to be uncovered
To understand how Orpheus Cyber can help with protection against cyber threats like this through the use of our platform to understand cyber risks at a strategic, operational and tactical level, click here.
Read our latest whitepaper ‘A Guide To Threat Actors’