Magecart attacks exploit legitimate sites as C2 servers for credit card theft
A new breed of attacks known as Magecart attacks have emerged, targeting online stores to pilfer customers' credit card information and personal data during the checkout process.
These attacks employ sophisticated techniques, including the hijacking of legitimate websites to act as "makeshift" command and control (C2) servers, enabling hackers to inject and conceal credit card skimmers on targeted eCommerce platforms.
Magecart attacks hijack legitimate sites for malicious purposes
The Magecart attack technique involves hackers identifying vulnerable legitimate websites and exploiting them as hosts for their malicious code, using them as C2 servers for their operations. By leveraging reputable websites with a strong online presence, threat actors evade detection and bypass security measures, eliminating the need to set up their own infrastructure.
This strategy offers them a significant advantage in terms of concealment and enables them to reach a broader range of potential victims.
One of the most concerning aspects of Magecart attacks is the stealthiness with which they operate. Many victimized organizations remain unaware of the breach for an extended period, sometimes surpassing a month. This prolonged period of undetected compromise underscores the craftiness and sophistication of these attacks.
Cybersecurity firm Akamai, which has been closely monitoring these campaigns, reveals that organizations in several countries, including the United States, the United Kingdom, Australia, Brazil, Peru, and Estonia, have fallen victim to these attacks.
Targetting common platforms
To initiate the attack, hackers exploit vulnerabilities within the targeted websites' digital commerce platforms, such as Magento, WooCommerce, WordPress, Shopify, and other commonly used platforms. They may also target weaknesses in third-party services employed by the websites.
Though the precise methods of breaching these websites remain undisclosed, previous research on similar campaigns suggests that hackers exploit known vulnerabilities within these systems.
By camouflaging the skimmer with Base64 encoding and structuring it to resemble popular third-party services like Google Tag Manager or Facebook Pixel, the attackers successfully evade suspicion and detection.
The two faces of Magecart skimmers
Akamai's researchers have identified two variants of the credit card skimmers used in Magecart atacks. The first variant is heavily obfuscated, containing a list of CSS selectors specifically designed to target customer personally identifiable information (PII) and credit card details. Each targeted site has its custom-made CSS selectors, increasing the likelihood of successful data theft.
The second skimmer variant, while less protected, exposes indicators within its code, aiding Akamai in mapping the extent of the campaign and identifying additional victims.
Once the skimmers collect customers' data, it is transmitted to the attackers' servers via an HTTP request disguised as an IMG tag within the skimmer. To further conceal the stolen data, Base64 encoding is applied, minimizing the chances of victims discovering the breach.
How to protect your sites against Magecart attacks
Website owners can adopt several measures to defend against Magecart infections. Strengthening website admin accounts, applying timely security updates for CMS and plugins, and conducting regular security audits are vital steps in mitigating the risks posed by Magecart attacks.
By proactively addressing vulnerabilities and implementing robust security practices, organizations can reduce the likelihood of falling victim to these malicious campaigns.
Minimizing risks for customers
While the onus primarily falls on website owners to protect against Magecart attacks, customers can also take steps to minimize their risks. Opting for electronic payment methods, utilizing virtual cards, or setting charge limits on their credit cards can provide an additional layer of security and reduce the potential impact of data exposure.Advertisement