Keeping Magecart Off The Holiday Stocking: Quick Guide

Keep Magecart skimmers and Magecart attacks off the Holiday stocking.

What are Magecart web skimming attacks?

Magecart is a collective name given to cybercriminals who inject digital credit card skimmers (or web skimmers) into e-commerce and payment websites.

Though they've operated since 2015, they’ve gained momentum from 2018 onward.

In a Magecart attack, threat actors inject malicious JavaScript code that collects credit card details whenever an end-user submits a form (a process known as formjacking) and then sends this data to attacker-controlled drop servers.

During this process, both the end-user and the company had no idea that the attack had taken place.

It’s important to note that attackers may gain access to the victim’s website in two ways:

1. Directly place the skimmer on the payment page (first-party attack);

2. Inject the malicious code through a third-party provider that the target company is using (e.g., a chatbot service).
   

Third-party Magecart attacks are especially critical because they don’t require a first-party server breach or direct access to the company’s website.

Instead, attackers target the company’s weakest third parties, which often have fewer resources dedicated to security and thus represent an easier target.

Remember: Every piece of third-party code that a company uses on its website can become a vehicle for Magecart attacks.

Consequences of a Magecart Attack

Because many Magecart attacks occur without any awareness from the users or the affected company, they often remain active for months before being detected and taken down.

This contributes to the aggravation of penalties due to the breach of compliance with regulations. Note the case with the GDPR fine of $26 million on British Airways.

Then, regulations aside, we still have to consider the potential long-lasting impacts on business reputation and the loss of customer trust, which can directly translate to a significant drop in revenue.

Magecart Mitigation 101

You may be wondering if Magecart attacks have such devastating consequences for businesses, then how do we mitigate them?

The issue is that, despite a great push to spread awareness on how to prevent Magecart, new attacks keep emerging every week, and they’re getting more sophisticated.

Even so, there are a variety of security solutions out there that attempt to prevent Magecart attacks. The tricky part is understanding how each approach works and whether it is actually able to mitigate Magecart or not.

Let’s look at the approaches and limitations of two solutions that are often used to prevent client-side attacks that originate from compromised third parties: Content Security Policy (CSP) and Subresource Integrity (SRI).

In the case of CSP, it restricts domains and resources based on an allowlist, preventing the connection to attackers’ drop servers to send exfiltrated data. The limitations here are tied to the fact that CSPs (especially earlier versions) are bypassable.

Not only that, there is no continuous monitoring of the previously allowed domains, meaning there is no sure way to guarantee that they didn’t become infected with malicious scripts after they were first whitelisted.

Then, with SRI, the browser only loads scripts that pass an integrity check to verify the script hasn’t been changed since it was put into use.

This means that when the content of the script changes, it won’t be loaded. It’s easy to understand that this approach has some shortcomings when it comes to maintenance since it locks you into a specific version of a script.

Attackers can also bypass the system by changing the tags used.

A behavior-based solution for Magecart prevention

Despite the multitude of ways attackers can use to reach their target in a client-side attack such as Magecart, companies can put in place specific measures to prevent this threat.

The best approach is to be able to detect and block the malicious behavior that Magecart attacks inflict upon a web page in real-time.

Jscrambler Webpage Integrity (WPI) does this by using rule-based behavior control. WPI detects several different types of malicious behavior, both in terms of resources and network events, that happen in every Magecart attack.

Using granular permission levels, WPI can block, in real-time, any malicious behavior on the client-side of web applications, including Magecart attacks.

By continuously monitoring a website’s third-party scripts, WPI provides complete client-side visibility that, together with rule-based control, is able to mitigate Magecart attacks before they ever unfold.

If you’re interested in finding out how to keep Magecart off your website, here’s our holiday present for you: Free Inventory Report to gain visibility over your website's scripts.