[BreachExchange] Protect your organization in the age of Magecart

[Destry Winant]

https://www.helpnetsecurity.com/2020/08/24/protect-your-organization-in-the-age-of-magecart/

The continuing wave of attacks by cybercriminal groups known under the
umbrella term Magecart perfectly illustrates just how unprepared many
e-commerce operations are from a security point of view. It all really
boils down to timing. If the e-commerce world was able to detect such
Magecart attacks in a matter of seconds (rather than weeks or months),
then we could see an end to Magecart stealing all of the cybercrime
headlines.

What steps can organizations take then to mitigate against this method
of cyber attack? Let’s delve deeper.

Assess your degree of client-side visibility

To avoid the hindsight is 20/20 syndrome, a key first step is
understanding how aware you are of what your users are actually
getting when they visit your e-commerce platform. You may think that
every user will get an identical, safe-to-use version of your website
when, in fact, some users may be interacting with compromised web
pages and hijacked forms.

It might surprise you to learn that neither business owners or
security teams seem to have a definite answer here.

For far too long now, there has been a spotlight on server-side
security. Consequently, just about everything that happens on the
client-side (for example the browser and the environment where
Magecart attacks thrive) is generally overlooked. Based on the
information we have gleaned from previous Magecart attacks, it is
obvious that there is no sure-fire way of preventing these types of
attacks completely. However, a good place to start is to shift our
focus and prioritize what is happening on the client-side.

The average Magecart attack remains undetected for 22 days and it only
took 15 days for attackers to steal 380,000 credit cards during the
British Airways breach. That’s 18 credit cards per minute. This is how
you should look at this threat: each minute that goes by while there’s
an undetected skimmer on your website means a growing critical
business problem.

Third parties are your weakest link

Various Magecart groups use different strategies to breach e-commerce
websites. However, most go after the weakest security link: they avoid
breaching your servers and prefer delivering malicious code to your
website through third parties.

Nearly all websites use one or more third-party solutions: a live chat
widget, an analytics tool, or an accessibility service. By doing so,
companies end up having almost no control over the security of this
externally sourced code. When attackers breach one of these third
parties and inject malicious code, this code very easily bypasses
firewalls and browser security mechanisms because the attack
originates from a source that is trusted by default – in this case, a
legitimate third-party supplier.

It’s crucial that you make sure that your business is scrutinizing
third-party code and also its supplier’s level of security. Sadly,
though, this is not something companies prioritize, as they are
concentrated on product development.

And while many businesses are only just now learning about Magecart
web skimmers, these skimmers are far from being the first iteration.
Over time, skimmers have evolved to include obfuscation techniques to
conceal their malicious code and even go as far as using defense
mechanisms to avoid being detected by bots, rendering many detection
options useless.

Taking decisive action to detect and control Magecart web skimmers

An ever-evolving security mindset is needed here. Businesses should
find ways to quickly detect these injected skimmers and swiftly block
Magecart attacks. This is preferable to solutions that prevent
malicious (unpreventable) code injections.

Whilst third-party management and validation play a good part, they
alone are not enough. The key is to look for malicious behavior.

We know that a skimmer always displays at least one sign of malicious
activity. For example, a known script like a live chat has no business
interacting with a payment form (formjacking). If that happens, it’s
an indicator that something may be wrong. Also, if we start seeing a
new script appearing in some user sessions, that is also something
that warrants further analysis. Sure, it could be harmless – but it
could also be a skimmer. Similarly, a network request to a previously
unknown domain may be an indication that attackers are trying to
exfiltrate data to their drop servers.

It is precisely here where most businesses are deficient. Not only do
companies lack client-side visibility, but they also lack proper
detection and control capabilities. Taking decisive action against web
skimming means being able to detect and control any malicious activity
on the client-side in real-time. To this extent, consider a web page
monitoring solution, as it brings real-time visibility of malicious
code and provides a more effective Magecart mitigation approach.