Security

The Anatomy of a Magecart Attack and How to Protect Your Site

By Josh Carter on April, 18 2019
Josh Carter

Director of Marketing, Blue Triangle

Magecart is just one of 38 JavaScript-sniffing groups that have been stealing credit cards, account numbers, and other types of personal data from millions of online shoppers in the last year.

In 2018, they made headlines by hacking major sites like Ticketmaster, British Airways, and Newegg and was considered one of WIRED's Most Dangerous People on the Internet in 2018.

The Attack

Magecart injects their code onto websites by hacking first- or third-party JavaScript, like an advertising tag or a Magento plugin. Then they use that code to collect personal data and send that data back to their domain.

How a magecart attack works

Since the malicious code is customized to work with the victim's site and is often only a few lines, it can go undetected for weeks or even months.

In Newegg's case, Magecart injected just 8 lines of code in their checkout process and stealthily created a domain called neweggstats.com to collect credit card information. The attack lasted 33 days before the code was identified by Volexity and quickly removed.

Here are the 8 lines of credit-card stealing code:

newegg magecart script

Source: Volexity

Symptoms

Due to the sneaky nature of Magecart, there are very few ways for websites to diagnose whether or not they've been hacked.

  • Banks and payment processors correlate a high volume of fraudulent activity to a common website and then notify the website. (most common)
  • Customers file complaints of fraudulent activity with a website following a transaction.
  • Security vendors like Volexity, RiskIQ and Trend Micro identify websites with compromised code.
  • Scheduled website scans identify changes in JavaScript code composition. Then that code is scrutinized. (least common)

Treatment

Aside from identifying and removing the malicious Magecart code, US companies are required by law to disclose security breaches that impact customer data. As you can imagine, this impacts brand reputation and future revenue.

Ticketmaster UK was hit with a $6.5 million dollar lawsuit after they were hacked, and British Airways is reimbursing its customers for any fraudulent activity that occurred as a direct result of their data breach.  Magecart stole 380,000 of their customers' credit card numbers.

Check out some of the headlines:

magecart headlinesSource: Google News

But the treatment doesn't stop there. According to Dutch security researcher Willem de Groot, 1 out of 5 breached sites is "infected (and cleaned) multiple times". Websites must remain vigilant and take preventative measures to ensure they are not hacked again.

Prevention

To best prevent a Magecart attack, you need to:

  1. Secure your first-party code
  2. Mitigate third-party risk
  3. Block unauthorized transmission of personal data

Secure your first-party code

Ensure your web server infrastructure is up-to-date and fine-tune your web application firewall (WAF) to help prevent your first-party code from getting compromised.

Configure your WAF to block and alert you when there are potential code injection attacks (e.g. PHP Object Injection and SQL Injection). Set rules that block known Magecart domains from accessing your site.

It is important to note that these traditional security measures are not 100% effective because Magecart is compromising first- and third-party code as well as constantly registering new domains.

Mitigate third-party risk

Ticketmaster UK was hacked in June 2018 after Magecart injected credit card skimming code inside their third party chatbot vendor, Inbenta. In December 2018, Magecart compromised a retargeting script from Adverline, a French advertising firm. The Adverline hack impacted 277 eCommerce websites.

Magecart has moved from just hacking individual sites and their code to compromising third-party vendor code. This shift comes at a time when companies are adding more and more third parties to their websites for services like advertising, analytics, and A/B testing.

Across our retail customer base, third party content is on average responsible for 35% of a web page's weight and 61% of the number of files loaded.

composition first party vs third party

Source: Blue Triangle - Website Composition

Here are a couple tips to mitigate third-party vendor risks:

Scrutinize every third party loading on your website

First identify the third parties loading on your site, specifically the ones that have access to the most sensitive parts of your website (e.g. shopping cart, account signup, checkout).

third party inventory

Source: Blue Triangle - Third Party Inventory by Page

Now for every third party on your website, ask yourself:

  • Am I still using this? 
  • Is there another third party on my website that offers the same capabilities?
  • Does it need to load throughout the checkout process?
  • Is it loading other third party technologies (piggybacks)?
  • Who in my organization owns this relationship?

From here you can make data-driven decisions on what third parties to keep and ensure they are loading exactly where and what they should be. The more control you have over your third parties, the more secure you will be.

Regularly conduct vendor due diligence reviews

Just one audit isn't enough; you need to regularly vet your third party vendors and their code.

In late 2018, thousands of eCommerce websites using Magento were breached after Magecart hacked 20 unpatched and vulnerable Magento extensions. This highlights the importance of ensuring your third parties are protecting their code and adhering to the latest security best practices.

Block unauthorized transmission of personal data

If your first or third party code is compromised, you need to prevent this code from sending personal data to a Magecart domain. The most effective way to stop this from happening is by implementing a Content Security Policy (CSP) - the last line of defense from Magecart.

A Content Security Policy (CSP) allows you to control what domains can access your website and what file types they are allowed to load. So if Newegg had a well-built CSP in place throughout their checkout process, the Magecart domain neweggstats.com would have been blocked from receiving credit card information. 

Here's the graphic from earlier, but with a CSP in place.

csp-manager-hacker

To properly build, implement, and manage a CSP, you need to:

  1. Inventory all the domains that have access to your site
  2. Determine what domains are "approved" and what resources they're allowed to load
  3. Build the CSP based on the "approved" domains
  4. Implement the CSP and update it with every site release
  5. Be alerted on CSP violations

That process is easier said than done, which is why only 7% of the top 500 eCommerce websites in the US have a CSP header in place. We created a Content Security Policy Manager to address this problem - automating the creation and management of your CSP so you can protect your site from Magecart.

Here's the end result inside Blue Triangle:blue triangle content security policy

If you're worried about Magecart...

Protect your site in 24 hours or less by leveraging Blue Triangle to build and manage your Content Security Policy (CSP). Our CSP methodology has protected leading brands from Magecart and other related threats. Let us show you how we can help.

Content Security Policy Manager

Stay up to date