External Threat Management Magecart

The Consumer Guide to Shopping Safely in the Age of Magecart

For the last ten years, the e-commerce industry has been battling a stealthy enemy in digital web skimming. Dubbed Magecart by RiskIQ when we first reported on the threat, these groups of cybercriminals have been intercepting credit card information from users making purchases online by breaching websites and injecting their Javascript web skimmers on checkout pages. Just like a physical web skimmer a real-world criminal might put on an ATM or gas pump, these digital skimmers intercept credit card numbers, expirations dates, and CVV numbers when a consumer purchases something online. It then exfiltrates that data to an attacker-owned server to be used by the hacker or sold on the dark web.

From small shops to giant household names like Newegg, Ticketmaster, and British Airways, these attacks have affected thousands of sites, and potentially millions of consumers, all without virtually anyone knowing. The most significant factor in Magecart's success is that most site owners lack visibility into the code running on their site. As a result, the average Magecart skimmer lasts over two weeks, with many lasting much longer than that.

While the onus is very squarely on businesses to protect their customers by increasing their visibility into the code running on their websites, Magecart is only growing more prevalent. In the meantime, consumers can take precautions to avoid being victimized and having their credit card information feed this criminal enterprise.

Yonathan Klijsnma, RiskIQ's Head Threat Researcher and the leading expert on Magecart, offers five tips you can take as an online shopper to stay safe.

Check the reputation

The most significant liability when you shop online is the credit card in your hand. Threat actors want to know the numbers on the front and back and are well-equipped with the tools and the knowledge to get it. Please don't do them any favors by shopping on shady websites.

Start by asking, "Do I trust this website?" Check its reputation with a Google search to see if there are complaints about its safety. Do additional research by checking how long the store has existed and who the store owner is. You can usually find this information in the Contact and About pages on the site. If the store is less than a year old or based in an area of high threat activity like China or Eastern Europe or selling products that appear counterfeit, i.e., similar to legitimate products from another company, be suspicious.

See if there is a way to purchase the product without entering your credit card data, or see if the product is available on a trusted site such as Amazon or eBay, which are likely safer than self-hosted (independent) e-commerce sites.

Larger stores are (usually) safer.

Although Magecart is victimizing businesses of all kinds, small businesses are most likely to host a malicious skimmer. Most sites hit by Magecart are small stores that don't have the knowledge or the means to focus on website security. Businesses for which e-commerce isn't central to their operations, i.e., stores that sell things on their site as a secondary offering, are also frequent victims.

Generally, the bigger the store, the more knowledgeable they are about threats targeting e-commerce and the more likely they are to have security staff looking after their site. Large retailers in the US have expansive security controls in place and large teams responsible for the safety of their site's infrastructure.

Don't enter credit card info if you don't have to.

Try to avoid entering your card details into the website. Large stores like Amazon store your card in your account, so you don't need to enter it into a web form where a Magecart skimmer might be lurking. Even small shops now offer Amazon Pay, which allows you to avoid potential skimming by paying via the card stored in your Amazon account rather than manually entering your credit card details.

Another way to avoid entering your card details is by using Apple Pay, PayPal, or a similar mobile payment system, which send a one-time token of your credit card information. Even if Magecart happens to skim the token, they can't access the associated credit card information. Another option is using one-time use credit cards, which can be skimmed without consequence.

Keep an eye on your credit card activity.

Don't only watch for large transactions; some thieves run small charges.

If you suspect that your card was skimmed, whether you see a suspicious transaction or not, call your card issuer and request a new card. They'd rather issue you a new card than have a fraudulent transaction go through.

Join the fight against credit card theft.

If you're aware that Magecart skimmed your credit card information, you can help prevent it from happening to someone else. Contact the e-commerce site and tell them about the theft. If they ignore you, you can contact law enforcement. The FBI is very interested in these crimes. You can also contact the payment provider because they can track the number of fraudulent transactions that occur when buyers are buying from a merchant.

Major browsers use lists to block known malicious websites. Chrome uses Google Safe Browsing, and Microsoft Edge uses SmartScreen. When RiskIQ identifies Magecart code, they report it to Google Safe Browsing.

Help kids understand the risks of shopping online.

From an early age, teaching kids safe online shopping practices is crucial as it becomes more prevalent in society. Along with the methods outlined above to avoid web skimming, kids should know the other threats lurking on the internet targeting consumers and how to avoid them.

RiskIQ sees fake and fraudulent tech support scams, prize offerings, software updates, and coupons in every corner of the internet. These scams can phish for information, or infect users with adware and malware. They're prevalent but relatively easy to spot. Knowing when something on the internet is too good to be true goes a long way to staying safe online.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor