Magecart Attacks on the Rise

Since the first Magecart style attacks were detected in 2010 there have been over 2 million detections since then. These attacks continue to rise presenting a greater danger to online shopper unaware their credit card information can be stolen from their favorite eCommerce websites. Rather than Magecart representing one group or one specific piece of malware it has come to represent a unique attack tactic. Numerous groups are currently deploying Magecart style attacks in varying degrees of skill, some more advanced than others. The most infamous Magecart attack involved the breach of British Airways were the credit card data of nearly 400,000 customers were compromised.

A Magecart involves a hacker targeting the shopping cart systems found on eCommerce websites. The process of stealing the credit card data is known by as skimming and is done by the hacker injecting code, sometimes as little as 22 lines, into the cart's code. The code, often written in JavaScript is loaded when a customer attempts to checkout. The code then copies the credit card data entered by the customers and sent to the hacker’s command and control server.

The hacker has two options available to get the code injected into the cart, the first been directly compromising the website, or second by compromising a third party piece of software like an analytics script or widget. By compromising third-party Magecart attacks can be classified under a supply chain attack, typically seen as when an attacker compromises a third party to compromise the targeted network. The supply chain attack which impacted retail giant Target is often seen as how devastating an attack can be.

magecart attacks on the rise

In a recent report published by RiskIQ, the nature and scope of the threat have been illuminated upon. Since the discovery of Magecart attacks, it has been estimated by researchers that thousands of websites have been compromised. In a particular attack, one automated script compromised over 960 websites. According to RiskIQ’s telemetry, the company has detected a total of 2,086,529 instances of Magecart. The most recent spikes in activity have been associated with supply chain attacks, researchers noted,

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites”

The Rise of Group5

Out of all the hacker groups been monitored by RiskIQ, one has risen to prominence. The group, codenamed Group5, focusses on initially targeting third part suppliers like website analytics providers SociaPlus and Inbenta. Then hackers compromise the cart system used by a particular website to skim payment details from hundreds of websites. The group also targets unsecured Amazon S3 buckets as they often store resources used by thousands of websites. In one instance one threat actor automated the discovery and subsequent compromise process to impact more than 17,000 domains. Since April 2019, 18,000 hosts had Magecart AWS injects.

While the raw statistics are worrying enough the hackers further keep abreast of security developments to keep ahead of the game. Currently, groups are still targeting the Magento shopping platform as well as Opencart. This is still typical for most hackers looking to employ Magecart-style attacks. As soon as a vulnerability is disclosed or discovered regarding the shopping platform researchers would see a spike in activity and a spike in the number of victims. As soon as a patch is released the numbers of detections and victims will decrease until the next vulnerability is discovered.

Not only are groups looking to expand their Magecart operations but they are constantly looking for other ways to distribute their card skimming malware. Researchers noted, “Magecart groups are also compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once.” Of the malicious ads analyzed at least 17% of them were seen distributing Magecart. Given the success of Magecart attacks new threat actors are likely to adopt similar tactics.

As if to illustrate the point that groups are readily adopting different tactics, according to a report published by IBM, Group5 was seen testing new scripts designed to inject malware into websites through commercial routers providing WiFi in public spaces like airports, hotels, casinos or resorts. One of the scripts, 'test4.html', has code to interact with commercial-grade Layer 7 routers that can provide WiFi connectivity after passing through a captive portal that sets some conditions, like paying for the service or viewing ads. Another script indicates that the actor aims at infecting Swiper, an open-source JavaScript library used by about 300,000 to make websites built for desktop viewing compatible with mobile devices.

Defending against these attacks poses a problem to website owners as well as consumers, as there is no reliable method to prevent such attacks if a vulnerability is discovered. However, some measures can be taken to reduce the frequency of the attacks. Merchants can enable checks on third-party resource integrity through Content Security Policy (CSP) that allows loading JavaScript from a trusted list of domains and block the attackers' domain. Another option is Subresource Integrity (SRI), which prevents loading modified JavaScript code by checking a cryptographic hash for the legitimate resource. Consumers can use browser plugins that block the loading of JavaScript scripts from untrusted websites. If the website is whitelisted it can still be compromised and credit card data can be stolen despite it being whitelisted. Only once blacklisted will the plugin block scripts from being loaded.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal