IOTW: World’s Third Largest Music Company Falls Prey To Magecart Attack

[Records Exposed: Undisclosed  |  Industry: Entertainment, eCommerce  |  Type Of Attack: Magecart]

The Facts:

Warner Music Group Corp. boasts a whopping 62 years in the music and entertainment industry. Founded in 1958 under the name Warner Bros. Records, the New York corporation is the third largest music company in the world, employing thousands of people and bringing in over $4 bn a year since 2017. However, no enterprise, big or small, is immune to cyber attacks.

On August 5, WMG issued a statement regarding a security incident that affected an undisclosed number of ecommerce customers. While WMG is staying tight-lipped about which of its ecommerce stores were affected—WMG divisions include Elektra and Atlantic Records as well as subsidiaries such as Uproxx and Songkick—they have disclosed the type of information divulged in the attack. According to WMG,

“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorized third party. This could have included your name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV and expiration date).

Payments made through PayPal were not affected by this incident.”

Related: Magecart Web-Based Supply Chain Attacks Increasing

Customers who may have been affected received a notice of the data breach along with a year of free credit monitoring through Kroll. While customers were not informed of which ecommerce sites were compromised, WMB admits that the vulnerability was active from April 25 to August 5.

WMB did not explicitly divulge the type of attack, but the M.O. leads to the assumption that it was what is known as a Magecart attack. Also known as skimming, it is an attack in which an ecommerce website is infiltrated and planted with a piece of code that records customer data as they key it in. Sometimes attackers break into the server infrastructure to plant the code. In the case of WMG, who say in their statement the affected websites were “hosted and supported by an external service provider,” it appears the hacker ran the skimmer script through a compromised third party.

WMB also reports that, “Upon discovering the incident we immediately launched a thorough forensic investigation with the assistance of leading outside cybersecurity experts and promptly took steps to address and correct the issue. We also notified the relevant credit card providers as well as law enforcement, with whom we continue to operate.”

Lessons Learned:

Mageware attacks are easily executed because they only need to affect one source of vulnerable code in order to work. Most ecommerce websites operate using several third-, fourth-, or even fifth-party software. Shopping cart plugins or cloud service providers are two examples of where a vulnerability may be present. Without specific interventions, outside software can operate across and access the full spectrum of a website’s code. Therefore, internal audits of a company website is not enough to ensure security from Mageware attacks.

Related: Engaging Zero Trust Architecture

Protecting against Mageware attacks is not automatic or easily applied. It takes a team to develop a zero-trust strategy specifically regarding JavaScript that only allows specific scripts to access sensitive customer data. Additionally, because the malware simply records information, it can go undetected for weeks or even months, as the WMB incident demonstrates.

Magecart attacks are on the rise, as the pandemic has shifted commerce online. In an interview with TechRepublic’s Scott Matteson, Peter Blum, vice president of technology at app delivery provider Instart, offers additional advice. “The best defense against Magecart attacks is preventing access. Online companies need a solution that intercepts all of the API calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.”

Read More: Incident Of The Week