What do these companies all have in common? British Airways, Ticketmaster, Newegg, Delta Airlines, Sears, Proctor & Gamble, and Macy’s. If you’re in the payments industry, you might think that the high-level security of their e-commerce and online customer data might be a common thread.
That’s not completely the case as each of these well-known brands have been targeted recently by Magecart attacks, used to describe the activities of at least seven cybercriminal groups placing digital credit card skimmers on compromised e-commerce sites or business partners.
The problem, relatively unknown before 2016, is gaining momentum as the number of incidents, the cost of impact and the size of the global challenge are growing fast.
“The estimated value of the attacks has surpassed $1 billion (USD) and the number of successful attacks is in the thousands. Attacks are originating in Eastern Europe, Russia, and Ukraine,” said Deepak Patel, VP of Product Marketing at security consulting firm PerimeterX.
The most recent security attack, and a new low for cybercriminals, was a website collecting donations for the tragic bushfires in Australia whose donors had their credit card information compromised.
“Magecart attackers keep hitting new lows. The attackers recently targeted a website that is collecting funds to help with the Australian brush fires. The attack kit was deployed on multiple domains confirming the organized effort of a Magecart group targeting sites that use the same underlying third-party code,” said Patel.
What is Magecart?
There is no single Magecart group. The term is used to describe a category that includes dozens of disconnected groups of cybercriminals who use similar client-side attack methods to steal customer payment information from e-commerce websites.
“The groups vary widely in their degrees of sophistication, reach and impact according to Patel. Other industry terms used to describe Magecart attacks include “digital skimming” or “formjacking,” Patel said in a recent company post.
Magecart attackers are on the hunt for customer payment card data so they can sell the data to other hackers and criminals on the Dark Web and these cybercriminals are making millions of dollars in the process.
How big is the threat?
Patel says the Magecart problem and its impact are growing fast. “Every industry or online business that processes payments on its website has been impacted. The top verticals have been airlines, retailers and charities.”
He says with Magecart, cybercriminals have found a security vulnerability that provides an easy way to skim users’ credit card data complete with names, addresses, zip codes and CVV numbers. These comprehensive stolen credit card records are worth more on the dark web than individual components he said.
“Attackers compromise a web server or third-party provider and place skimmer code into the website. The skimmer code directly collects user data from the browser and transmits it to a site controlled by the attackers,” Patel explained.
In analyzing attacks between May and July 2019 alone, PerimeterX said more than 960 e-commerce sites were attacked. The other data is equally shocking:
- 17,000 domains were affected in a “spray and pray” method that scanned for vulnerabilities
- 200+ online bookstores using the same e-commerce platform were compromised
- well-known brands like Forbes, Garmin, Proctor & Gamble, and even the American Cancer Society fell victim to Magecart attacks
- thousands more e-commerce websites were likely impacted.
Contributing to the problem is a lack of visibility where website owners find out about the data breach days or weeks after the code injection helps skimmers to monetize the stolen cards to the maximum extent before discovery or disclosure by those affected.
The cost of a single Magecart attack can be enormous. A class-action lawsuit on behalf of 500,000 UK consumers was launched in June 2019 against British Airways for credit card data stolen from its website.
“This two-week breach resulted in the largest GDPR fine in history at a staggering $230 million. The estimated penalties from the class-action lawsuit could be far worse, costing British Airways billions of dollars,” PerimeterX said in a recent whitepaper.
By the time the class-action lawsuit is settled, the cost to British Airways for the Magecart data breach could be in the billions of dollars.
Who else has been hit by Magecart attacks?
PerimeterX identifies a list of big brand names affected by recent Magecart attacks including:
- Delta Airlines – 825,000 customer credit card numbers exposed in 2017 by a third-party
- Sears – 100,000 customer credit cards exposed in 2017 by a third-party
- Newegg – skimmer active for more than a month in 2018 on the site with over 50 million monthly active visitors
- British Airways – estimated 500,000 credit card customer’s data exposed on the company website in 2018
- Proctor & Gamble – 450,000 customers’ PII data exposed early in 2019 by a third-party.
In these attacks, the risk was not just from a company’s own e-commerce site but also from third-party suppliers and partners. That’s what makes the challenge so substantial according to Patel.
Complicating threats further is the lag time between companies noticing, reporting, and informing partners, regulators, and customers of attacks.
British Airways took two weeks to detect its attack. Forbes and Newegg learned of their third-party attack a month later and it took Delta Airlines, Sears and Topps two months to identify problems. It took the National Baseball Hall of Fame and Procter & Gamble six and seven months respectively and OXO two years to recognize their attacks.
What can companies do to minimize risk?
Companies are at risk in three primary areas including attacks using scripts directly in the company’s code on its e-commerce websites; third-party scripts used in building e-commerce sites using code components, libraries and partners; and attacks on third-party e-commerce platforms and providers such as Magento, Volusion and OpenCart.
Cybercriminals recently attacked the Volusion cloud-based e-commerce platform by injecting malicious JavaScript code into customer checkout pages to steal payment card data. That attack compromised at least 6,500 online stores, including the Sesame Street e-commerce store and possibly more than 20,000 other online stores according to PerimeterX.
Website decision-makers may in fact have a false sense of security. A study by Osterman Research showed only 11% of the respondents said they have complete insight into the third-party scripts on their website, showing nearly 90% of respondents believe there is only little to moderate risk from these scripts.
Traditional security approaches can’t protect completely against Magecart attacks. “Traditional forms of web security like Web Application Firewalls (WAFs) will not protect against Magecart attacks since the data exfiltration bypasses the website owner’s infrastructure. Attackers are targeting third-party vendor’s infrastructure that typically has sub-standard security controls. Attackers then compromise web servers or open-source libraries to place skimmer code and harvest users’ credit card data.”
Firewalls can only protect against inbound first-party attacks. Content security policies can’t guarantee protection against third-party code and static scanners can’t catch Magecart vulnerabilities in real-time. Website security threats simply move too fast.
How can businesses protect themselves?
“Understand the complete implications of code injection – it is not just about Magecart attacks, login credentials and any data provided by the user is at risk,” Patel advised. “Protecting the payment pages alone is not enough. Attackers can modify the path to the payment page and present a fake payment page.”
Patel suggests businesses deploy a solution that can monitor and detect changes to script behavior in real-time. He also said periodic audits of the security controls of third-party vendors providing scripts/code to the website are also an important preventive step.
It leaves you wondering why web experts and company IT security advisers aren’t more proactive given the growing risks, the business continuity hazards, and the staggering potential costs of Magecart attacks.
PerimeterX has an excellent whitepaper on the Magecart threat which you can download for free here.
Brushfire photo courtesy of CNN
LET’S CONNECT