How does Magecart work?
Magecart works by operatives gaining access to websites either directly or via third-party services and injecting malicious JavaScript that steals data shoppers enter into online payment forms, typically on checkout pages.
Magecart operatives either breach sites directly or via supply chain attacks. Supply chain attacks target third-parties that supply code to websites. Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites, so when one supplier is compromised, Magecart has effectively breached thousands of sites at once.
What's in a Browser Threat?
Who does Magecart Target?
Magecart mainly targets e-commerce websites, aiming to inject their JavaScript skimmers on checkout pages. However, Magecart breaches many different types of sites because they can steal other types of sensitive, monetizable data entered into any online web forms.
Magecart takes advantage of online businesses’ general lack visibility into their web-facing attack surfaces. In many cases, the victims have no idea the JavaScript on their site has been changed, allowing the malicious code to exist there indefinitely. In the case of supply-chain attacks, it’s common a victim does not know that the compromised third-party JavaScript on their site is dangerous — or that they’re even running code from the breached supplier.
Notable Magecart Attacks
Magecart & Ticketmaster
On June 27th, 2018, Ticketmaster made public they had been compromised, with actors stealing payment information from the company’s various websites. RiskIQ discovered the breach was a result of Magecart operatives placing skimmers on Ticketmaster checkout pages through the compromise of a third-party functionality supplier known as Inbenta. Overall, the breach of Inbenta affected over 800 e-commerce sites around the world.
Magecart & British Airways
On September 6th, 2018, British Airways announced it had suffered a breach of its website and mobile app, resulting in the theft of payment data of 380,000 customers. RiskIQ researchers traced the breach to Magecart.
The attack compromised the British Airways site directly, taking advantage of its unique structure and functionality. Magecart operatives copied and modified JavaScript supporting payment forms on the British Airways website so that it sent all payment information to an attacker-controlled server. However, they made sure these forms still worked as intended in a user’s browser to avoid detection.
The attackers were also aware that the British Airways mobile app used much of the same functionality as the web app and that breaching the website would also grant them access to the app. Many of these 380,000 victims were mobile app users.
Magecart & Amazon S3 Buckets
The second-largest spike in Magecart detections occurred in July when RiskIQ announced that the scale of a mass compromise of third-party web suppliers by a Magecart group was much larger than previously reported. The actors behind these compromises automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets, managing to compromise a vast collection of S3 buckets to impact well over 17,000 domains. This list includes websites in the top 2,000 of Alexa rankings.RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019.
Magecart & Magento
Magecart will always be intrinsically connected to one program in particular: Magento. When we first wrote about Magecart back in 2016, Magento was the primary third-party shopping software targeted, inspiring the now-infamous name, which is a combination of “Magento” and “shopping cart.” To this day, third-party shopping platforms such as Magento and OpenCart, which fuel an enormous portion of e-commerce, are the lifeblood of many Magecart groups.
Monetization Through Reshipping Schemes
RiskIQ research revealed how some Magecart actors targeting e-commerce sites cash-out by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S.
By pivoting on a domain related to known Magecart activity in RiskIQ PassiveTotal, RiskIQ found that the server behind its IP address linked to a reshipping company website falsely advertised as a freight/logistics provider. Magecart operatives recruit these mules false employment ads on Russian job websites for U.S.-based job seekers under the pretense of “transport agents.” These mules receive shipments of electronics and other goods bought with stolen credit cards to ship to an address in Eastern Europe.
This technique is similar to more traditional schemes involving money mules, but rather than a direct transfer of funds, the actors behind Magecart transfer funds into higher-priced goods. These goods can be shipped across borders without suspicion, then sold for a hefty profit.
RiskIQ Has Been Tracking Magecart Since 2015
RiskIQ has reported extensively on Magecart and will continue to report on the threat as it evolves. You can see your full Magecart library here.
