[Case Study] How a Major Airline is Mitigating Magecart Attacks with Jscrambler

A major airline is mitigating Magecart attacks with Jscrambler's Code Integrity solution, which provides fine-grained behavior.

If you are a cybersecurity aficionado, you have likely heard of the Magecart cybercriminal groups. They have been very active since 2018 and are known for injecting web credit card skimmers on e-commerce and payment websites, which pose a serious threat to businesses.

Note: As per the request of our clients, we have anonymized all company and personal names.

Magecart: Evolved Web Skimming

In a Magecart attack, attackers inject a skimmer that can hijack the submission of a form containing credit card details. These details are then sent to attacker-controlled drop servers. During this whole process, neither the end-user nor the company had any awareness that the attack had taken place.

While we’ve seen Magecart attacks originating from compromises of first-party and third-party code, attacks targeting third parties are especially critical because they don’t require a first-party server breach or direct access to the company’s website.

Attackers can exploit a third-party integration, such as a live chat widget, to inject the skimmer’s code without being detected.

The Key Business Threats of Magecart

Because many Magecart attacks occur without any awareness from the users or the affected company, they remain active for months before being detected and taken down.

From our analysis of a sample of known attacks, skimmers remain active for 104 days on average before being detected and taken down.

These attacks pose a significant threat to businesses. Looking back at known Magecart attacks, we see that they have likely caused over $1 billion in direct business losses, notably the $26 million GDPR fine on British Airways.

Then, we still have to consider the potential deep impact of indirect business losses. Because of negative PR and a loss of customer trust following a Magecart data breach, losses in revenue can have a long-lasting impact on the business.

Behavior-Based Magecart Mitigation

New Magecart attacks are still emerging every week and getting more sophisticated. Companies are gradually understanding the need to think outside the firewall and looking to protect the client-side. But several security approaches commonly associated with Magecart prevention often fail to cut this new wave of sophisticated Magecart skimmers.

Some, like CSP, are often bypassable; others introduce unsustainable performance drops and cause malfunctions.

While these skimmers keep evolving their tactics, they always display specific types of malicious behavior. As such, a behavior-based approach to Magecart mitigation provides the best chances of detecting and blocking this malicious behavior in real time.

This is what Jscrambler Webpage Integrity has been delivering to E-Commerce enterprises.

Jscrambler and Major Airline: Magecart Mitigation

The Challenges

The 2018 Magecart attack on British Airways made headlines around the world because it managed to silently exfiltrate over 380,000 credit cards and remain active for 15 days before being detected and taken down.

After it was disclosed that BA initially faced a $230 million GDPR fine, the threat of Magecart attacks became much more noteworthy.

Companies started to look for solutions able to mitigate this type of sophisticated client-side attack, and Jscrambler was contacted by a major airline with this challenge: to prevent Magecart web skimmers from running undetected on their pages and exfiltrating data.

This company had web apps running scripts from third parties. One key priority was being able to know when one of these scripts changed behavior.

Such a change could potentially be linked to attackers exploiting the vulnerabilities of these third-party providers and injecting malicious code that could lead to a Magecart attack.

“After learning about the Magecart attack on British Airways, it became our priority to detect and prevent these attacks from happening to us.” Jscrambler client, from the Airline industry.

Fast implementation was one of the biggest requirements of this project. Each unmonitored user session could potentially hide a web skimmer, and the risk of a breach was tangible.

And with the company having such a complex web environment, several other requirements had to be met. For one, the company required a solution that could be easily integrated into the SIEM that it was currently using. Then, it had to guarantee minimal performance overhead, ensuring that the end user’s experience wouldn’t be negatively affected.

“We had to be alerted immediately when a third-party script started doing things that it shouldn’t do.” Jscrambler client, from the Airline industry

The company also wanted to make sure that the solution would work correctly even in scenarios where file names change frequently.

The Solution

Due to the urgency of implementing a solution that was capable of stopping potential Magecart attacks, the company tested several different vendors.

“Jscrambler has merit in passing every test we threw at it and being able to thwart the web skimming scenarios that we tested.” Jscrambler client, from the Airline industry.

As such, the company put Jscrambler Webpage Integrity to the test in multiple different attack scenarios. These dozens of tests included being able to detect the illegitimate addition, modification, or removal of content from the page (DOM tampering), the poisoning of form events, and the exfiltration of data to a drop server.

Beyond testing the raw detection and mitigation capabilities of Jscrambler, the company also highlighted the exceptional level of control that the tool provides.

Unlike most solutions out there, Jscrambler Webpage Integrity provides fine-grained behavior control both based on high-level assumptions and user-defined rules.

“The level of control and the ease of taking out the solution with no impact are added benefits.” Jscrambler client, from the Airline industry.

Performance was also tested to understand the potential impact that Jscrambler could have when added to the company’s web pages. During these tests, our client found that Jscrambler could easily be taken out with zero impact, and this flexibility was very valuable in their case.

After pondering all the factors, from the raw capabilities to the ease of integrating and maintaining the solution, the company concluded that Jscrambler outperformed all other vendors. As a result, they took the step of migrating from a PoC environment to a live production one.

The Results

Throughout every stage of the demanding testing process, Jscrambler Webpage Integrity consistently received approval from several different teams and committees within the company, from software development to architecture and legal.

By providing support from a dedicated engineering team, we were able to deliver within this very challenging timeframe. We were successful in ensuring a very smooth transition from POC to a live environment. During the 2-week learning process after the official kick-off, we were able to fine-tune Jscrambler and ensure it would be ready for the battlefield.

“This solution has met our requirements, and we’re confident to deploy it in our live environment to help us prevent a Magecart breach.” Jscrambler client, from the Airline industry.

More than being able to deliver a timely, robust, and flexible solution to a major airline (and receiving additional confirmation that our solution is the best choice to mitigate Magecart attacks), we’re thrilled to know that millions of travelers benefit from protection against credit card skimmers and enjoy a safer online experience.

Conclusion

Magecart attacks can have devastating impacts on companies, which are further aggravated when they don’t have adequate visibility over what is happening.

In this case study, we saw how Jscrambler was able to help a major airline mitigate this threat, but our mission doesn’t stop here.

As such, we are offering a free inventory report to help start preventing Magecart attacks.