Magecart Web-Based Supply Chain Attacks Increasing
Exploring the impact of this threat vector and how to avoid being the next victim
Currently website owners are experiencing a dramatic increase in the frequency of browser session attacks. Magecart leverages a universal website flaw to skim personal and payment card data from websites. This is a universal vulnerability not protected by firewalls or WAFs. Application security testing is certainly a good idea, but falls far short of preventing Magecart attacks. Thus, if you operate a website today, you are susceptible to this type of attack.
Why is the Magecart attack vector so attractive? According to Graham Cluley, it’s because of:
- Scalability. All hackers have to do is compromise one piece of third-party code and impact many websites/website visitors.
- Ease of attack. Traditional attacks have to get past many layers. All you have to do here is hack one piece of third-party code.
- Scope of information. Most websites don't store all payment information on their websites, but this Magecart skims all information entered into website (i.e. CVV code from customers).
Cluley is an award-winning security blogger, researcher, podcaster, and public speaker well known for his “Smashing Security” podcast. He wrote the first ever version of Dr. Solomon's Anti-Virus Toolkit for Windows, and has given talks about computer security for some of the world's largest companies. He has worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining security threats. Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011.
Cluley recently joined Matt McGuirk and Mark Bermingham of Source Defense in order to expand the discussion around this rapidly accelerating attack type because “we’ve seen a lot of press around discovery and detection. Thousands of websites have been impacted globally. Unfortunately, there has been very little prescriptive information around how to mitigate these types of attacks.”
The Impact Of Magecart Attacks
There is a myriad of significant impacts that arise from these attacks. The most direct impacts include:
- Website Defacement
- Session Hijacking
- Payment Card Skimming
- Malware Insertion
- Personal/Confidential/Private Data Theft
The obvious follow-on impacts include:
- Brand damage
- Financial impacts
- Operations costs because of remediation and 3rd party vendor replacement
- Fines including GDPR and the looming CA Data Privacy Act
Customer data privacy and compliance is worth exploring further. What’s not immediately obvious today is that data privacy and compliance are being impacted with or without a third-party compromise. This is because these third-party vendors are granted the same level of permissions, access and control over all webpage content rendered or entered on webpages. The implication is that data control is not possible. Therefore, compliance becomes impossible. Compliance diligence requires new thinking around the security model that ensures data privacy because third-party integrations into webpages, which are universally used make data privacy impossible to ensure.
How To Prevent Magecart Attacks
Prevention approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by third-party website vendors or hackers, an organization is in a state of non-compliance.
Here is a snapshot of some other best practices that can help prevent this attack vector:
Monitoring & Detection: The most common approach to address website security is reactive, detection technologies (DAST, RASP). These technologies allow some impact before the detection is made. In many cases, this attack type is extremely evasive and hyper-targeted to a very small and specific sub-population of users evading most detection approaches.
“I think what I would say to people is Magecart: Serious threat – you need to do something about it. The losses can be considerable, and the impact on your customers can be considerable as well,” said Cluley. “It’s your brand which gets dragged through the gutter if you’re unfortunate enough to suffer one of these kinds of attacks. So put the time and effort in now to get clued in about these things and make sure you’re not the next victim.”
On February 27th, Cyber Security Hub hosted a web seminar which tapped into the expertise of Cluley and Source Defense to present various preventative approaches. To learn more preventative ways to proctect the enterprise, Listen On Demand Here.