Magecart is more than just a security problem—it's also a business problem.
When threat actors breached British Airways in September resulting in the compromise of thousands of customers' credit cards, the world got a look at what the fallout of a modern security breach looks like. Immediately afterward, a law firm launched a £500 million class action suit. On top of that, under GDPR, firms found liable for a breach can be fined up to 4% of turnover, or £500 million in British Airways' case.
Magecart, the digital credit card skimming groups behind some of the most impactful hacks of 2018, was the culprit. As the world saw, Magecart is more than just the flavor of the week hacking group—it's a digital threat that will haunt businesses long into the future. That's why it's foolish to view Magecart as anything but a new threat category all its own. Like malware, phishing, domain infringement, etc., organizations now need a long-term solution to address it.
Magecart is here to stay
2018 saw numerous high-profile digital credit card-skimming attacks against major international companies conducted by Magecart. Alongside British Airways, these included the likes of Ticketmaster and Newegg. These infamous breaches led to the group garnering unprecedented attention with WIRED naming it as one of the eight “most dangerous people on the internet in 2018”.
Security professionals now have Magecart firmly on their radar but what they must remember is that the group is continuously evolving, as seen most recently with the never-before-documented Magecart Group 12.
Strength through evolution
Magecart is becoming an even more significant digital threat as it continues to scale and evolve. The term, ‘Magecart,’ encompasses a wide range of groups that are all joined together by the same goal: to conduct web form skimming campaigns that help them amass payment information that Magecart actors then monetize.
There are currently approximately 12 groups – the twelfth being a recent find – and researchers at RiskIQ are always uncovering more. Existing groups are ambitiously harnessing what are proving to be extraordinarily successful tactics, one of the most notable being web supply chain attacks. While we have attributed this style of attack to Magecart Group 5, we have recently seen a new group, Group 12, take the web-based supply chain attack in a new direction.
These supply chain attacks compromise vendors that supply code often used to add or improve site functionality. This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are affected in kind. This large-scale access to websites gives Magecart access to a wide range of victims at once.
Part of what makes these attacks so successful is that businesses lack visibility into their web-facing attack surface. In many cases, they have no idea that the third-party code on their web assets is dangerous—or that they're running that code at all.
Catching businesses off-guard
In the months and years to come, it is likely that new variants of these sorts of web skimming attacks will emerge, either by the current, or new Magecart groups. While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen, which widens the scope of potential Magecart victims far beyond just e-commerce.
For businesses, this means that there needs to be a continued focus on visibility into internet-facing attack surfaces and increased scrutiny of third-party services that form an integral part of modern web applications. What Magecart’s recent ravages have shown is that a lot of the investments that have been made in securing corporate infrastructure have not worked. Companies will continue to be overwhelmed by the scale and tenacity of groups of its kind, especially as attacks launch from outside the firewall and the data theft occurs on in the user’s browser, well outside the scope of network monitoring tools.
What difference does it make?
Consumers are at an increased risk of seeing their personal information compromised as a result of this development since it is they who sit on the valuable data. Magecart Group 5 and Group 12 have capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.
What all of this means is that even if a company’s own security measures are strong, they can fall on the weaknesses of third parties, many of which are unknown to the security team. Development teams need to be aware of the potential risks is using these services and should work with the security team on ensuring they are assessed, monitored and managed.
What’s more, with the increased efficiency of credit-card skimming groups the time it will take for a large number of consumers to have their data stolen, seemingly out of nowhere, is decreasing quickly. In the end, it doesn’t matter to consumers whether their data is stolen as a result of a traditional breach or a web-based supply chain attack. What is at stake is the reputation of organizations that run payment forms online, and the overall confidence of online shoppers.
Magecart: Don't lose sight of the problem
Lately, you've heard a ton of chatter from security vendors around Magecart—what it is, how it operates, and how you can defend against it. The problem is, most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. Many are copying the research of others, and some are even adding to the confusion by calling Magecart something utterly different, like 'form jacking.'
Cut through the noise. Because of RiskIQ's internet-scale visibility and ability to view a businesses' internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled and analyzed Magecart, and now continue to detect it as it evolves.