Magecart Attacks: How to Defend Your eCommerce Solution

Apart from those of us in the information technology field, “Magecart” may sound like an abstract term. Yet it’s a word mentioned often in the world of eCommerce and online security - especially in the last few years. Magecart attacks have increased by 20% during the global pandemic, causing widespread damaging results to businesses and their customers.

Let’s deconstruct Magecart attacks, and explore ways that you can defend your eCommerce solution and your customers.

What is Magecart?

“Magecart” refers to a kind of online fraud in which a bad actor or actors intercept transaction data during the checkout process. Magecart also goes by names such as digital skimming, front end attacks, e-skimming or form jacking.

These types of online attacks utilize the client-side browser to obtain any data entered by a user or a customer. The perpetrators attempt to steal customers’ personally identifiable information (PII) such as email addresses, login credentials, and credit card numbers, by injecting malicious JavaScript code into the website.

In a troubling twist, a Magecart attack may include injecting completely new fields into an existing form to glean further information. Customers are none the wiser while inputting sensitive data on to a compromised page, while businesses oftentimes discover the mishap several weeks or even months after hackers have been continuously stealing information.

Hackers also use Magecart attacks to target an online store via their third party providers. In the pursuit of creating the best shopping experience for customers, businesses often use third-party scripts on their client-side code. This makes it more cost effective and faster to build eCommerce solutions, with more options to quickly alter and update the website. However, this means that merchants do not have complete control of the code on their website. An eCommerce solution may contain code from upwards of 30 various providers, which all have the same rights as your proprietary code. Once a third party provider has been compromised, the door is opened to all the third party provider’s customers.

Now that online shopping is at an all-time high due to Covid-19, a perfect opportunity has emerged for criminals to put Magecart attacks to good use.

How do Magecart attacks work in real life?

Some of the world’s top brands across diverse industries have fallen victim to Magecart attacks in recent times. This sheds light on the fact that those carrying out Magecart attacks do not discriminate based on the size, industry, and prominence of a business their automated tools choose to target.

Here’s just a few well-known examples of Magecart attacks in the wild:

  1. In 2018, Ticketmaster reported that hackers had stolen payment information from many of its websites. RiskIQ confirmed that the data breach occurred as a result of Magecart agents placing skimmers on checkout pages via third party suppliers. The hackers also attacked the third-parties themselves, which granted them access to over 800 eCommerce websites.

  2. In mid 2020, eight U.S. city websites were found to contain card detail-skimming software. In this case, the skimmer caught payments made via Click2Gov, a self-service portal used by citizens to pay utility bills and make parking payments. The attackers stole the visitor’s name, address, and corresponding credit card information.

  3. In February 2020, RiskIQ revealed that Magecart Group 8 had inserted a JavaScript skimmer on Nutribullet’s global website with the purpose of obtaining credit card details. While Nutribullet reportedly removed the skimmer several times, new versions of the malicious tool kept popping up and the site was terrorized for nearly a month.

  4. In 2018, British Airways reported that the sensitive data of over 400,000 customers were stolen. The Magecart attack targeted payments made on British Airways’ main website and its app between August 21st, 2018, and September 5th, 2018. Consequently, the airline giant received a staggering £183 million fine through GDPR for not adequately protecting sensitive customer data.

  5. Forbes magazine suffered a Magecart attack when web-skimming scripts were found in their subscription website. Attackers stole the credit card details of customers that were hoping to sign up to read the popular financial magazine.

This smattering of cases conveys the destructive impact a Magecart attack can have on a business. With an upswing in online shopping, Magecart attacks will only grow in number and severity. For example, RiskIQ zeroed in on a new Magecart group appropriately titled “MakeFrame;” the group creates iframes for skimming payment data. This type of Magecart attack has already been identified on 19 different websites.

How can a Magecart attack impact your business?

  • Loss of reputation: Mishandling the sensitive personal data that customers trust in your hands when they make a purchase with you may cause irreversible damage to your business. Once customers become aware that your website has fallen victim to a Magecart attack, that knowledge stays with them.

  • Monetary loss: After the loss of customer trust, Magecart attacks tend to bring financial hardships in the form of decreased visitors to your site, or the closure of your website while the issue is rectified. Either way, a Magecart attack may mean the permanent end of your business.

  • Legal ramifications: If the first two effects of a Magecart attack were not enough, the regulatory consequences could bring even more financial damage in the form of fines and unwanted publicity to the attack, which may scare away any remaining customers. The case with British Airways exemplifies the potential severity of the legal repercussions of a Magecart attack.

How can your business stay safe from Magecart attacks?

The first step to ensure that your business remains safe against online attacks (including Magecart attacks) is to properly prepare your staff members and business security policies for a potential attack. We go into more detail about how to invest in security knowledge for your business in our other articles, but here’s a quick overview:

  • Build a security-minded culture in your workspace, wherein you support and incentivize staff members to follow your security measures daily.

  • Draft official security protocols for your business, including policies and response plans for various emergency situations.

  • Develop regular security training for employees to ensure they are knowledgeable on the topic, and know how to act when a potential attack occurs. Engage all staff members and make exercises as interactive as possible.

  • Ensure that your hardware, software, tools, and devices are up-to-date and patched at all times. If your staff bring their own devices to work, make sure that they are held to the same standards and follow the appropriate security protocols while using personal devices.

Safeguard your business against Magecart attacks with Lokte’s Data Breach Monitoring tool

While it is essential to fortify your business by training staff members and creating strong security governance, you will need more to stand against Magecart attacks. The above mentioned cases illustrate that even the world’s leading brands are not safe from these malicious attacks and the challenges they bring with them. Magecart attacks are difficult to detect, and consequently, it may take weeks or even months before the malicious code is spotted. As with the Nutribullet case, the malware may simply make its way back into your online store once it has been removed.

To stop Magecart attacks altogether, you will need to leverage the latest technological tools to automate the job for you. Lokte’s Data Breach Monitoring detects suspicious activity on your website and immediately alerts us and you in order for appropriate action to be taken. Our service works by monitoring user interaction with the site and compares all of the outgoing server addresses to the whitelisted addresses in the Data Breach Monitoring tool. As a result, we’re able to reduce the possible impact caused by a data breach to minutes instead of days, weeks, or months. Read more about our data loss prevention tool here, and book a time to talk to our security specialist today!