Looking deep into Magecart
This research follows the trail of servers compromised by Magecart groups, as well as the collection servers to which the sites were actively sending stolen credit card data, in an effort to examine commonalities between victim websites and the tactics, techniques, and procedures used to compromise the servers.
Arxan and Aite Group have also worked with federal law enforcement to notify the 80 victim sites discovered during this research as well as the staging sites used by the Magecart groups to collect the stolen data.
Magecart attacks have been successfully used against Ticketmaster, Forbes, British Airways, and Newegg. Data collected is monetized on the dark web or through re-shipping scams that send high value goods bought with stolen card details to 'mules' who send them on.
"Most attacks that we are used to talking about are things that go into the company to be effective. But this attack is siphoning things off at the client interface point in the browser," says Aaron Lint, chief scientist and VP of research at Arxan. "It looks like around 4,800 sites are compromised every month, some due to outdated or vulnerable versions of eCommerce platforms, some due to other vulnerabilities that have allowed the attacker to place code on a server. A third path is supply chain attacks as applications may be composed of many third-party components."
Just 2.5 hours of initial research led to the discovery of over 80 compromised eCommerce sites globally that were actively sending credit card numbers to off-site servers under the control of the Magecart groups. The most common similarity across the 80 sites was the use of Magento, all of which were running old versions that are vulnerable to an unauthenticated upload and remote code execution vulnerability that has published exploits available for it. None of the 80 sites discovered had in-app protection implemented, such as tamper detection and code obfuscation. What's more 25 percent of the sites discovered were large, reputable brands.
"Companies must realize that there's an attack surface in the hands of the customer," adds Lint. "What happens in the browser needs to be part of an application security strategy for an organization. There's really no excuse in this day and age not to consider that as part of your overall threat matrix."
More information along with details of how businesses can protect themselves is available in the full report on the Arxan website.