MAGECART THE CARD SKIMMING CARTEL
What is MAGECART?
Magecart is an umbrella term for a large array of cybercriminal groups with nothing in common besides their proclivity towards skimming Personally Identifiable Information (PII) from users of known good websites. These groups often prey more heavily on eCommerce websites/apps and are most interested in card/payment information. These attacks are more interesting than most as they do not compromise the vendor of goods itself, such as Amazon or eBay, but rather 3rd party scripts and plugins that run in real time on the payment page.
How does it work?
Websites on the internet today are more interconnected than ever before. When you visit a page, without even realising it, in a single click you’ve actually visited many more. This can be in the form of ads, content delivery networks, scripts/plugins and so on and so forth. When creating websites/apps, developers will often re-use other people’s code. Why give yourself a headache programming a visitor number counter when there’s one readily available on GitHub? A payment page for an eCommerce website will often make use of a whole bunch of code that is drawn down from other parts of the internet upon loading the page. An attacker will compromise this code so that as the payment page loads it is drawn down and executes like it ordinarily would, but now it does the work the attacker wants it to do, such as skimming user input on certain fields like card number or CVV’s.
What tactics are used?
Websites/apps that handle the input of sensitive user data use encryption (TLS) when transporting the data from the user’s browser to the webserver. This stops a person-in-the-middle attack from being performed, in which an attacker will position themselves in the middle of the connection and capture the data flowing across. Encrypted card information is useless to them. This means that in order to get that card information in clear text they have to do one of two things; capture the user’s input before it is submitted (and therefore encrypted), or capture it on the other end (the webserver) as it is decrypted. MageCart groups up until recently have favored the first approach — and it’s clear why. On the webserver end, these eCommerce companies are likely to have well-configured security measures in place. It’s likely to be easier to compromise a plugin written by Jane on GitHub than it is to compromise a bank’s server room. Not only this but compromising 3rd party scripts casts a much wider net — they’re likely to be in use on many eCommerce sites, whereas compromising the web server for one limits you to the PII being processed by that one company. However, for whatever reason, the latest MageCart group has opted for server-side attacks. They have been replacing the ‘favicon’ with a bogus PNG image containing PHP designed to redirect the recently decrypted PII from the webserver to themselves.
Preventative measures
Regular updates
Vulnerabilities in Content Management Systems (CMS) are by far the most popular choice for compromise by MageCart groups. Keeping your CMS, such as Magento (MageCart’s favorite, hence the nickname) or WordPress, patched and up-to-date is a great way to drastically reduce your exposure to MageCart attacks.
Code reviews
You almost certainly utilise 3rd party code on your website. We all do. While you may do regular assessments of your own code, it is important to understand that the classic MageCart tactic is not to compromise you, but rather that bit of JavaScript you have running on the checkout page that is drawn from a developer’s server in the cloud somewhere. Regular audits of your 3rd party code and ASAP updates of your plugins will help ensure you don’t have old and known vulnerable code running on your site.
Purple Team engagements
Regular pentests are okay, but will likely not yield the results you’re truly looking for. A Purple Team engagement will involve full adversary emulation, it’s a pentest that focuses on simulating an attack such as this, rather than just poking holes in your site. Regular Purple Team engagements will ensure you are patching the right holes regularly while teaching your security team/developers how to spot them.
Author: Connor Tyler-Treanor of th4ts3cur1ty.company & PocketSIEM
