At the start of July, the airline British Airways received a £183 million fine. The fine, handed down by the UK Information Commissioner’s Office (ICO), was for a data breach that affected some 500,000 customers last year. To begin with, no one knew who was behind this massive data theft. However, a few days after the news hit the headlines, InfoSec professionals started to talk about a group of cyberattackers called Magecart.

According to RiskIQ, Magecart has been attacking online companies since at least 2016. Its modus operandi is to insert malicious code in the websites of these companies in order to steal their customers’ data when they make a purchase. This technique is called digital skimming. Besides BA, Magecart’s victims include companies such as Ticketmaster, Forbes and Amazon CloudFront.

Two massive Magecart campaigns

At the start of July, security researchers discovered a large Magecart campaign that affected 962 e-commerce websites in just 24 hours. Sanguine Security – a company that scans for malware in Magento, a popular e-commerce platform – called it “the largest automated campaign to date”.

The company believes that the campaign could have been facilitated by a vulnerability in Magento. For example, in March, an SQLi vulnerability was discovered in the platform. Even though a patch was launched to fix the flaw, many companies have difficulty when it comes to patching their systems, so it is highly likely that a large number of organizations didn’t install the patch.

Then, on July 10, another massive campaign was discovered, in which cybercriminals managed to add Magecart code to over 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

The campaign, which began in April, exploited the fact that many sites that use Amazon cloud storage don’t properly secure access to their assets.

According to RiskIQ, the attackers modified the scrips indiscriminately; some of the affected JavaScript wasn’t on payment pages, so payment details couldn’t be stolen.

Yonathan Klijnsma of RiskIQ explains that, “Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket.”

Magecart: a danger for e-commerce

The Magecart group – in fact an umbrella organization for several subgroups – uses many advanced techniques to make their code injections harder to detect.

What procedure do they follow? In one particularly complex attack, the attackers registered a domain with a similar name to their victim’s. From this domain, they launched their script onto the victim’s website, blending it with the scripts already on the legitimate website. So as not to arouse suspicions, they went as far as to get an SSL certificate for their malicious domain. The group used this malicious script to steal the personal data of the website’s customers.

When the script was discovered and erased, the attackers maintained their access to the website. They registered a domain with a similar name to a chatbot used by the victim. With similar techniques, they kept attacking this company, stealing more personal data.

Dangers in the supply chain

One of the reasons that Magecart is such a dangerous threat is that it doesn’t just attack companies directly. One tactic that the group is using more and more frequently are supply chain attacks, a rising trend among cybercriminal organizations in 2019. One way of doing this is to install their code in the providers of web ads, which will then be embedded on the website that they want to attack. This way, they can sneak onto their victim’s websites unnoticed.

How to protect your company

Magecart has a wide range of techniques and vectors to threaten your company. This is why it is so important to have strict controls over your IT network and everything that happens on it.

Panda Adaptive Defense constantly monitors every process being carried out on the system. It detects any anomalous or suspicious process to stop all threats before they can happen. This way, any suspicious code will be detected.

It is thought that at least one of the massive Magecart campaigns was facilitated by a vulnerability in a web application. To reduce the attack surface, it is important to patch the systems and applications that your company uses. To make the task of patching your systems easier, Panda Adaptive Defense has the module Panda Patch Management.

Since e-commerce is a sector that is constantly growing, we are very likely to keep seeing Magecart attacks, which will exploit companies that don’t have adequate protections. As such, ensuring your company’s security, and by extension, your customers’ and users’, is more important than ever.