Magecart is back: Don't let digital skimmers ruin your COVID recovery plans

We’ve spent a lot of time over the past few months talking about COVID-19. There’s no denying its impact on corporate cybersecurity, both in providing an opportunity for phishing lures and exposing distracted, under-protected home workers. But as countries ease lockdowns and non-essential businesses are tentatively allowed to re-open, thoughts turn to driving that much-needed “v-shaped” recovery.  A big part of this will come down to online sales.

However, as events from recent days have shown, digital skimming gangs are primed and ready to take advantage. In response, it’s not enough to simply focus on your web servers — IT leaders also need to tackle cloud misconfiguration to reduce the attack surface.

On the hunt

So-called “Magecart” attacks first came to prominence a couple of years ago, although researchers have been tracking the groups behind them since 2015. They usually involve the seeding of malicious JavaScript code onto payment pages. When an unwitting user enters their details to pay for something on the site, they are exfiltrated and sent to a remote server. Some attacks, like the one against British Airways, involve direct targeting of the victim organisation. Others, like the Ticketmaster breach, go further up the digital supply chain with the aim of getting the malware on as many sites as possible.

New Magecart attacks are emerging all the time — there are said to be 12 or more groups operating today — but seem to have ramped up during the pandemic when more shoppers migrated to online channels. One report revealed a 20% increase in detected threats amid the crisis and the discovery of a new skimmer dubbed “MakeFrame”.

Over the past week the attacks have continued, with two of the world’s biggest retail chains hit. US-headquartered accessories specialist Claire’s and sister site Icing had skimming code placed on their payment pages. Data was stolen and sent to a malicious domain registered a month earlier. Also impacted was sporting retail giant Intersport, where malware was loaded onto its e-commerce stores in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina. Interestingly, the firm cleaned its web code of Magecart only to have it reappear 11 days later.

Danger in the cloud

At first glance, this would seem like a job for your web security team. However, it is more complicated than that. Another potential avenue for exploitation is via misconfigured cloud security platforms. For years researchers have been warning that companies are leaving cloud databases wide open without a password because they’ve misunderstood the service provider’s policies. It’s a problem that’s arguably becoming more acute today as companies invest in multi-clouds from different vendors — increasing the complexity of managing these systems securely with limited in-house resources.

Unfortunately, opportunistic cyber-criminals are now actively probing for exposed systems. A new piece of research out last week set up an exposed Elasticsearch instance as a “honeypot” to see how quickly it would be attacked. In the end, it took just eight hours for the first unauthorized request to come through. Over the duration of the research, the instance was attacked 18 times per day.

Although some attackers are stealing the data they find and holding it ransom, others are looking to plant malicious JavaScript on there. Researchers recently discovered Magecart code on three websites belonging to a single company, after attackers had found misconfigured AWS S3 buckets operated by the company. Their findings echoed a report from last year in which over 17,000 domains were compromised in this way.

Time to clean-up

You don’t have to look far to see the potential impact of a serious Magecart attack. Last year the UK’s Information Commissioner’s Office (ICO) issued a notice of intent to fine BA over £183 million for GDPR non-compliance. A major Magecart breach of the firm’s website in 2018 led to the theft of personal and financial data on 500,000 customers.

Yet despite its often big-name victims, Magecart more commonly affects smaller online firms with fewer resources to spend on cybersecurity. Often the code is left up for days before it is noticed, resulting in a potentially serious financial impact via chargeback fees. That’s not to mention the brand damage and possible non-compliance fines.

Here are a few best practice tips for mitigating the threat:

• On the web security side, implementing Content Security Policy (CSP) and Subresource Integrity (SRI) can help


• Consider browser plugins such as NoScript which can block JavaScript loading from untrusted sites 


• Install patches from your e-commerce/payments platform provider as soon as they are


• Keep AV on and up-to-date at all times


• Maintain PCI DSS compliance


• Regularly test incident response plans


• Invest in Cloud Security Posture Management (CSPM) to spot and remediate any configuration errors

At a time when the global economy needs all the help it can get, cyber-resilience becomes an essential pre-requisite for a rapid recovery from the current crisis.