CBS News: A Look Behind the Magecart Assault on E-commerce


November 1, 2018, Team RiskIQ

Magecart, an umbrella term given to at least seven cybercriminal groups that are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate, is responsible for recent high-profile breaches of global brands Ticketmaster, British Airways, and Newegg.

Over the past few years, Magecart operatives intercepted thousands of consumer credit card records, and with the biggest online shopping weekend of the year on the horizon, we anticipate Magecart activity to begin ramping up dramatically. Now more than ever, it’s critical to understand Magecart and its all-out assault on e-commerce.

We took to CBS News to explain this threat and how we can combat it. get to know your most present adversary and find out how you can avoid becoming a victim:

Watch our segment on CBS News

A Unique Approach to a Unique Threat

RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.

When crawling a page, RiskIQ maps its structure and breaks it down to its smallest elements. This data is captured and stored in our massive databases to provide a point-in-time snapshot of how a page appears and functions, including its javascript. With this reference, we can observe changes, such as the addition of a Magecart skimmer, as they happen. It’s this proprietary historical data that allowed us to amend the official timeline of the Ticketmaster attack and prove that the Magecart skimmer was live on Newegg’s website for over a month.

Our researchers direct RiskIQ’s crawlers with custom detection policies they write while hunting for Magecart and taking note of their skimmers’ unique Javascript signatures. From the petabytes of data these crawls collect, RiskIQ builds out static indexes including passive DNS, SSL certificates, host pairs (redirects), and web components. Pivoting on these data sets allows us to uncover Magecart’s tactics and identify victims. For example, our Components data set shows us all the sites running a third-party analytics script compromised by Magecart, and our Host Pairs dataset shows relationships between websites running the Magecart skimmer.

Check out the RiskIQ blog for more information on the Magecart threat.

Share: