There’s a new form of cyberattack hitting online businesses that has security experts in retail and other industries working overtime to protect their companies.
Variously called “formjacking,” “web skimming” or “Magecart,” the bad news is that there are an average 4,800 websites compromised by such attacks each month, according to cybersecurity firm Symantec. But the good news is that 3.7 million attacks were blocked last year.
Yonathan Klijnsma, a threat researcher at cyber threat intelligence firm RiskIQ, says Magecart is evidence that online businesses “remain one of the most vulnerable means of stealing credit card data.”
It was October 2018 when RiskIQ first identified Magecart, which attacks ecommerce sites running outdated and unpatched versions of shopping cart software. Rather than attacking consumers directly, Magecart, allegedly the work of a group of Eastern European criminals, gets malicious code into sites run by businesses and uses it to steal card information.
The code can be difficult to detect, and once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumers being aware that the information has been compromised, according to the Payment Card Industry Security Standards Council.
“Magecart is growing and continues to grow,” warns Alex Hamerstone, a cybersecurity analyst with information security consulting firm TrustedSec.
‘A TARGET FOR CYBERCRIMINALS’
Jason Glassberg, a “white hat” hacker who founded Casaba Security, says Magecart gets its code onto servers using phishing emails and similar diversions where the attacker lures the user into clicking on a link that installs malware on a computer for the purposes of obtaining personal information.
“This is an attack on business servers,” he says, “and this is especially troubling.”
The malicious code installed on a server is typically triggered when an online shopper submits his or her payment information during checkout. The retailer or other business — the travel industry has been particularly hard hit — eventually gets the information and it looks as though it were processed normally even though it wasn’t.
“Unfortunately, the retailer is held responsible,” Glassberg says. “It happens behind the scenes. Attacks used to be directly on credit cards and personal information.”
The Magecart attacks are described as “web skimming” because they replicate in cyberspace what the old-fashioned physical skimmers did when placed on bank card slots at automated teller machines and gas pump credit card slots to “skim” card data. “Formjacking” is because virtual payment forms used online are hijacked by the malicious code.
Magecart attacks may sound like small potatoes, capturing one transaction at a time, but they are now responsible for most web-related data breaches, according to application services firm F5 Networks. F5 examined 83 breaches attributable to formjacking attacks on web-payment forms and found that the total number of payment cards compromised was almost 1.4 million. Fewer than half the breaches involved retailers.
“The lesson is clear: For any organization that accepts payment cards via the web, their shopping cart is a target for cybercriminals,” F5 threat researchers Ray Pompon, Sander Vinberg and David Warburton wrote in an article on Magecart attacks.
The criminals making the attacks do not have to breach every server at every ecommerce business. All they have to do is compromise one component on a website, such as a chatbot or a shopping cart or anything else supplied by a third party. Infecting even one shopping cart supplier allows Magecart to compromise every website using that shopping cart platform.
Magecart attacks have precipitated some major data breaches, including at Marriott International, where 383 million guest records were available, and British Airways, where personal information on 380,000 people booking flights was captured. The largest Magecart-induced breach involving a retailer was probably at electronics and home goods retailer Newegg.com, where at least 500,000 visitors were exposed.
Hamerstone says using “basic hygiene” when developing a site, as well as being more security conscious, is the best way retailers can protect themselves against the attacks. As for ecommerce sites already up and running, he says there has to be a high priority on an information security program. He also advises “holding vendors responsible for the contributions they make and making sure they are secure.”
Glassberg suggests having active security between layers on a server so even if hackers make it to the front line, they don’t go any deeper.
“Retailers should be vigilant in monitoring traffic coming in and going out,” he says. “They should have a web application firewall, which screens traffic. Also, information should be sent only to listed servers, not to any server out there.”
There are three vectors which are typically exploited in these types of attacks, Glassberg says. The first is the supply chain, so the retailer has to make sure “anyone connecting to the system needs to have rigid security.” The second is third-party programming such as chat windows and advertising users. The third is activity and traffic monitoring services. “The fewer third parties you have on your site, the safer you’ll be.”
The National Retail Federation is playing a major role to help retailers battle against Magecart.
The topic has been “on our radar screen” for over a year, says NRF Senior Director for Retail Technology and Cybersecurity Christian Beckner, “Every time there is a public report about [a Magecart attack], we share this with our members.”
NRF circulated an in-depth report on the subject to retailers earlier this fall. More informational outreach is being developed, including sessions on cyberattacks and a cybersecurity workshop at NRF 2020 Vision: Retail’s Big Show, the association’s upcoming annual conference in New York City
In tracking cyber threats, NRF separates them into two groups, according to Beckner. First are those directed at any IT system in the private or public sector, such as ransomware or email phishing. Then there are the threats directed toward customer-facing businesses such as retail, hospitals, transportation and hospitality.
When asked how retailers can protect themselves against Magecart threats, Beckner echoes many other cybersecurity experts: “Monitor third parties on your website. It’s almost a governance issue — keep track of them.”
“It is definitely in the top five,” Beckner says in ranking Magecart among cyber threats. “Among consumer-facing businesses, it is in the top three,” falling behind only attacks on point-of-sale systems and account takeovers.
David P. Schulz has been writing for STORES since 1982 and is the author of several non-fiction books.