What are Magecart web skimming attacks?
Magecart is a collective name given to cybercriminals who inject digital credit card skimmers (or web skimmers) into e-commerce and payment websites. Though they've operated since 2015, they’ve gained momentum from 2018 onwards.
It’s also important to note that attackers may gain access to the victim’s website in two ways:
- Directly place the skimmer on the payment page (first-party attack);
- Inject the malicious code through a third-party provider that the target company is using (e.g. a chatbot service).
Third-party Magecart attacks are especially critical because they don’t require a first-party server breach or direct access to the company’s website. Instead, attackers target the company’s weakest third parties, which often have fewer resources dedicated to security and thus represent an easier target.
Remember: Every piece of third-party code that a company uses in its website can become a vehicle for Magecart attacks.
Consequences of a Magecart Attack
Because many Magecart attacks occur without any awareness from the users and the affected company, they often remain active for months before being detected and taken down. Naturally, this contributes to the aggravation of penalties due to the breach of compliance with regulations. Note the case with the GDPR fine of $26 million on British Airways.
Then, regulations apart, we still have to consider the potential long-lasting impacts on business reputation and the loss of customer trust, which can directly translate to a significant drop in revenue.
Magecart Mitigation 101
You may be wondering if Magecart attacks have such devastating consequences for businesses then how do we mitigate them?
The issue is, despite a great push to spread awareness on how to prevent Magecart, new attacks keep emerging every week and they’re getting more sophisticated.
Even so, there are a variety of security solutions out there that attempt to prevent Magecart attacks. The tricky part is understanding how each approach works and if it is actually able to mitigate Magecart or not.
Let’s briefly look at the approaches and limitations of two solutions that are often used to prevent client-side attacks that originate from compromised third parties: Content Security Policy (CSP) and Subresource Integrity (SRI).
In the case of CSP, it restricts domains and resources based on an allowlist, preventing the connection to attackers’ drop servers to send exfiltrated data. The limitations here are tied to the fact that CSPs (especially earlier versions) are bypassable. Not only that, there is no continuous monitoring of the previously allowlisted domains, meaning there is no sure way to guarantee that they didn’t become infected with malicious scripts after they were first whitelisted.
Then with SRI, the browser only loads scripts that pass an integrity check to verify the script hasn’t been changed since it has been put in use. This means that when the content of the script changes, it won’t be loaded. It’s easy to understand that this approach has some shortcomings when it comes to maintenance since it locks you to a specific version of a script. Not only that, but attackers can also bypass the system by changing the tags used.
You can read more on other security approaches and their effectiveness against Magecart attacks here.
A behavior-based solution for Magecart prevention
Despite the multitude of ways attackers can use to reach their target in a client-side attack such as Magecart, companies can put in place specific measures to prevent this threat. Here, the best approach is to be able to detect and block the malicious behavior that Magecart attacks inflict upon a web page in real-time.
Jscrambler Webpage Integrity (WPI) does this by using rule-based behavior control. WPI detects several different types of malicious behavior — both in terms of resources and network events — which happen in every Magecart attack. Then, using granular permission levels, WPI can block, in real-time, any malicious behavior on the client-side of web applications — including Magecart attacks.
By continuously monitoring a website’s third-party scripts, WPI provides complete client-side visibility that, together with rule-based control, is able to mitigate Magecart attacks before they ever unfold.
Lastly, if you’re interested in finding out how to keep Magecart off your website, here’s our holiday present for you: Free Magecart Detection for 3 months.