Since the first Magecart style attacks were detected in 2010 there have been over 2 million detections since then. These attacks continue to rise presenting a greater danger to online shopper unaware their credit card information can be stolen from their favorite eCommerce websites. Rather than Magecart representing one group or one specific piece of malware it has come to represent a unique attack tactic. Numerous groups are currently deploying Magecart style attacks in varying degrees of skill, some more advanced than others. The most infamous Magecart attack involved the breach of British Airways were the credit card data of nearly 400,000 customers were compromised.
The hacker has two options available to get the code injected into the cart, the first been directly compromising the website, or second by compromising a third party piece of software like an analytics script or widget. By compromising third-party Magecart attacks can be classified under a supply chain attack, typically seen as when an attacker compromises a third party to compromise the targeted network. The supply chain attack which impacted retail giant Target is often seen as how devastating an attack can be.
In a recent report published by RiskIQ, the nature and scope of the threat have been illuminated upon. Since the discovery of Magecart attacks, it has been estimated by researchers that thousands of websites have been compromised. In a particular attack, one automated script compromised over 960 websites. According to RiskIQ’s telemetry, the company has detected a total of 2,086,529 instances of Magecart. The most recent spikes in activity have been associated with supply chain attacks, researchers noted,
“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites”
The Rise of Group5
Out of all the hacker groups been monitored by RiskIQ, one has risen to prominence. The group, codenamed Group5, focusses on initially targeting third part suppliers like website analytics providers SociaPlus and Inbenta. Then hackers compromise the cart system used by a particular website to skim payment details from hundreds of websites. The group also targets unsecured Amazon S3 buckets as they often store resources used by thousands of websites. In one instance one threat actor automated the discovery and subsequent compromise process to impact more than 17,000 domains. Since April 2019, 18,000 hosts had Magecart AWS injects.
While the raw statistics are worrying enough the hackers further keep abreast of security developments to keep ahead of the game. Currently, groups are still targeting the Magento shopping platform as well as Opencart. This is still typical for most hackers looking to employ Magecart-style attacks. As soon as a vulnerability is disclosed or discovered regarding the shopping platform researchers would see a spike in activity and a spike in the number of victims. As soon as a patch is released the numbers of detections and victims will decrease until the next vulnerability is discovered.
Not only are groups looking to expand their Magecart operations but they are constantly looking for other ways to distribute their card skimming malware. Researchers noted, “Magecart groups are also compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once.” Of the malicious ads analyzed at least 17% of them were seen distributing Magecart. Given the success of Magecart attacks new threat actors are likely to adopt similar tactics.