Magecart Web-Based Supply Chain Attacks Increasing

Exploring the impact of this threat vector and how to avoid being the next victim




Currently website owners are experiencing a dramatic increase in the frequency of browser session attacks. Magecart leverages a universal website flaw to skim personal and payment card data from websites. This is a universal vulnerability not protected by firewalls or WAFs. Application security testing is certainly a good idea, but falls far short of preventing Magecart attacks. Thus, if you operate a website today, you are susceptible to this type of attack.

Why is the Magecart attack vector so attractive? According to Graham Cluley, it’s because of:

  1. Scalability. All hackers have to do is compromise one piece of third-party code and impact many websites/website visitors.
  2. Ease of attack. Traditional attacks have to get past many layers. All you have to do here is hack one piece of third-party code.
  3. Scope of information. Most websites don't store all payment information on their websites, but this Magecart skims all information entered into website (i.e. CVV code from customers).

Cluley is an award-winning security blogger, researcher, podcaster, and public speaker well known for his “Smashing Security” podcast. He wrote the first ever version of Dr. Solomon's Anti-Virus Toolkit for Windows, and has given talks about computer security for some of the world's largest companies. He has worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining security threats. Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011.

See Related: "Mitigating Magecart Attacks – Why Real-Time Prevention Is Your Best Option"

Cluley recently joined Matt McGuirk and Mark Bermingham of Source Defense in order to expand the discussion around this rapidly accelerating attack type because “we’ve seen a lot of press around discovery and detection. Thousands of websites have been impacted globally. Unfortunately, there has been very little prescriptive information around how to mitigate these types of attacks.” 

The Impact Of Magecart Attacks

There is a myriad of significant impacts that arise from these attacks. The most direct impacts include:

  • Website Defacement
  • Session Hijacking
  • Payment Card Skimming
  • Malware Insertion
  • Personal/Confidential/Private Data Theft

The obvious follow-on impacts include:

  • Brand damage
  • Financial impacts
  • Operations costs because of remediation and 3rd party vendor replacement
  • Fines including GDPR and the looming CA Data Privacy Act

Customer data privacy and compliance is worth exploring further. What’s not immediately obvious today is that data privacy and compliance are being impacted with or without a third-party compromise. This is because these third-party vendors are granted the same level of permissions, access and control over all webpage content rendered or entered on webpages. The implication is that data control is not possible. Therefore, compliance becomes impossible. Compliance diligence requires new thinking around the security model that ensures data privacy because third-party integrations into webpages, which are universally used make data privacy impossible to ensure.

How To Prevent Magecart Attacks

The best thing security pros can do to prevent an attack is to implement technology that controls the access and permissions of every third-party JavaScript vendor running on web pages. This insulates websites, their visitors and private customer data from the inappropriate or unwanted behaviors of third parties and the more malicious activities of hackers that seek to exploit them.

See Related: "Safeguard Websites From Third-Party JavaScript Attacks"

Prevention approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by third-party website vendors or hackers, an organization is in a state of non-compliance.

Here is a snapshot of some other best practices that can help prevent this attack vector:

Content Security Policy (CSP): CSP enables administrators to specify the domains that the browser should consider to be valid sources of data, meaning only data from these whitelisted domains can be loaded to the page. This ensures that only JavaScript received from whitelisted domains will be executed. 

Sub-Resource Integrity (SRI): SRI adds a cryptographic hash to JavaScript allowing browsers to verify that files they fetch are delivered without unexpected manipulation. This provides a path to ensure malicious JavaScript won’t be loaded from compromised third parties.

iframes and Sandbox iframes: Vendor JavaScript can be put into an iframe from different domains (e.g. foreign iframe), this will work as a "container" and vendor JavaScript will not have direct access to the host page DOM and cookies. For additional security, the sandbox attribute can be used to apply additional safeguards such as secure origin and even cookie control.

Monitoring & Detection:  The most common approach to address website security is reactive, detection technologies (DAST, RASP). These technologies allow some impact before the detection is made. In many cases, this attack type is extremely evasive and hyper-targeted to a very small and specific sub-population of users evading most detection approaches.

“I think what I would say to people is Magecart: Serious threat – you need to do something about it. The losses can be considerable, and the impact on your customers can be considerable as well,” said Cluley. “It’s your brand which gets dragged through the gutter if you’re unfortunate enough to suffer one of these kinds of attacks. So put the time and effort in now to get clued in about these things and make sure you’re not the next victim.”

On February 27th, Cyber Security Hub hosted a web seminar which tapped into the expertise of Cluley and Source Defense to present various preventative approaches. To learn more preventative ways to proctect the enterprise, Listen On Demand Here.