Magecart Group Continues Targeting E-Commerce SitesArxan Analyzes Vulnerabilities in Over 80 Sites Hit by 'Formjacking' Attacks
A previous report by Symantec found nearly 4,800 websites are subjected to formjacking attacks each month.
And while security researchers have been calling more attention to attacks from Magecart-affiliated groups, the Arxan report shows these types of incidents are widespread, with many types of e-commerce sites targeted. The attacked sites identified in the report included some associated with major consumer brands in the motorsports industry and luxury apparel market.
A major concern is that many companies are not updating and patching their web applications, or not checking if the code has been tampered with by attackers, Aaron Lint, chief scientist and vice president of research at Arxan, tells Information Security Media Group.
"Vendors need to make sure they are protecting their websites and web apps - especially when they are collecting personally identifiable information or financial information from customers," Lint says.
"The Magecart threat is not new - and has very high profile, public breaches - so vigilance is key. In addition to basic housekeeping - like keeping website platforms patched and updated to the latest versions - ensure your web code has been audited for any signs of code tampering, and make sure you have a security solution in place that is able to identify any attempt at code tampering and protect against this type of attack and others targeting the client side."
Earlier, security consultant Willem de Groot, who is based in the Netherlands, found that one in five online stores that suffered a Magecart infection cleaned it up only to be re-infected usually within five days (see: InfoWars: Magecart Infection Points to 'Industrial Sabotage').
The Arxan study also found repeat infections on some sites. "We did notice websites that had been infected at the same time by different Magecart groups - code from one Magecart group directly above the code for another Magecart group," Lint says.
"CISOs really need to take another look at how they are protecting websites and, more importantly, protecting the data being collected from those websites, and ensure they have the right security tools in place to keep that data secure," Lint says. "An organization’s threat model must include the attack vector of their application code running on untrusted environments and the ways that information can be exfiltrated when the client code is changed or replaced."
Easy to Find
After finishing their investigation, the researchers notified the FBI and the affected sites.
Most of the e-commerce sites studied were running older versions of applications that had not been patched and were susceptible to either unauthenticated uploads or remote code execution, the researchers found.
Magecart groups are known to target other content management platforms as well, including Shopify, OpenCart, OSCommerce and Wordpress, Lint notes.
The Magecart umbrella organization, which includes at least 12 criminal groups, dates back to 2014. But the number of attacks associated with these groups has steadily increased over the last 18 months.
In recent months, Magecart-associated groups has been suspected in attacks against shoe manufacturer Fila as well as the bedding sites Mypillow.com and Amerisleep.com, according to an earlier analysis by security firms Group-IB and RiskIQ. In addition, British Airways, Ticketmaster and Newegg have also been attacked (see: RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets).
In July, Britain's privacy watchdog issued a "notice of intent" that it plans to fine British Airways about $230 million for violating the EU's General Data Protection Regulation. That violation of the law is believed to be tied to a Magecart attack that exposed personal details of about 500,000 customers (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
In most cases, the Magecart groups don’t use the stolen credit card information themselves, but rather sell it in bulk on dark net sites, researchers say. This data has been found on underground forums including Empire Markets, Dream Markets, Wall Street Markets, E-Shop, BigDeal, and Vahalla.
These tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected into an e-commerce site to skim data that consumers use to buy goods..
In many cases, the skimmers remain invisible to both the retailers and their customers, Lint says.
"There is not much that end users can do to protect themselves," he says. "Infected Magecart sites are invisible to them - although sometimes a consumer security solution will block or warn against a potentially malicious site that you are trying to visit."