The Nasstarian
Brought to you by

Magecart: Time to Focus on Web Security to Mitigate Digital Skimming Risk

In analysis / By Phil Muncaster / 01 October 2018

When we talk about data breaches usually it involves stories of customer databases being compromised. But there’s another threat which could be just as damaging. Whilst not exactly new, digital skimming has hit the headlines in a big way in recent months after a spate of attacks compromised the websites of some of the biggest names on the web. From BA to Ticketmaster and most recently US retailer Newegg, firms all over the world have found malicious code on their sites lifting data on millions of customer cards as it’s entered.

If you haven’t already, it might be time to redouble your efforts to secure web servers and check any code running on your applications — including scripts hosted by third parties.

Magecart on the rise

Magecart has been tracked by one security vendor since 2016. The name refers not to a single threat group but the code itself, which has been found on over 800 sites with payment functionality around the world. The code itself is a relatively small snippet of malicious JavaScript, inserted into the payment page of a targeted organisation directly, or into third-party code hosted by a supply chain partner. Either way, the end result is the same: it acts as a kind of virtual skimming device, lifting card details as they are typed in by customers.

Ticketmaster and the vast majority of those 800 web firms affected were compromised via this supply chain vector. It’s something I wrote about earlier this year when a National Cyber Security Centre report warned that these types of attack “are extremely difficult (and sometimes impossible) to detect.” Most famously, this MO was used to kick-start the notorious NotPetya ransomware campaign, when popular Ukrainian accounting software was infected with malware.

Most recently, Magecart has been used in even more sophisticated attacks where the target organisation has been compromised directly. This is what happened at BA and Newegg. It’s unclear exactly how the attackers compromised these firms’ web servers but we do know that great care was taken to try to ensure the malicious code “blended into the background”. For example, the domain used to send stolen card data back to was named similarly to the official Newegg/BA primary domains and authenticated via Comodo certificates. This shows the level of detail the attackers are prepared to go to in order to avoid detection.

“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” warned RiskIQ.

Fighting back

The impact of this kind of digital skimming breach could be devastating for a compromised firm. Because the code lifts card data directly from the affected website there’s no chance these details are encrypted. Plus, details also include the CV2 number, which businesses are forbidden from storing under PCI DSS rules. The cumulative effect of this is that the stolen data is easier for the hackers to monetise on the cybercrime underground.

That’s going to make Magecart an increasingly popular tactic among cyber-criminals. As a reminder of what’s at stake, Equifax was recently fined £500,000 by the ICO — the maximum possible — for failing to follow security best practices. It’s clear the penalty would have been much higher had it been investigated under the GDPR: where maximum fines can rise to 4% of global annual turnover, or £17m.

That should make it an urgent priority to revisit your web security. Here are a few best practice suggestions:

Regular patching of servers: a new report from SecurityScorecard found that over 90% of US retailers are failing PCI compliance in part because they’re not patching promptly.

Regular web vulnerability scanning and pen testing: to check for vulnerabilities that could allow for compromise. Cross-site scripting is most likely the way BA and others were initially attacked, but other common flaws include SQL injection — relatively straightforward to fix but a major risk if left unaddressed.

Tighten access controls to web infrastructure: restric access according to principle of least privilege, and replacing admin passwords with multi-factor authentication (MFA).

Properly configured firewalls: are another staple of good web security.

For the techies: a Content Security Policy (CSP) and Subresource Integrity (SRI) could have prevented malicious modifications of scripts, according to researcher Scott Helme.

Vet your supply chain: It pays to monitor all third-party scripts on your site.

OWASP Top 10: has more information on the biggest web application threats out there.

**Try an MSP:** If your in-house capabilities are stretched, a reputable managed service provider could help by providing more secure web infrastructure than you’re able to.

New call-to-action

Phil Muncaster

Phil Muncaster

Phil is an internationally known technology writer, having regularly written for The Register, InfoSecurity and IT Week on the subject of technology, IT and security.

Comments powered by Disqus