What Is Magecart?

We have already told you of the necessity to properly secure your online shops in this article about eCommerce security. Here you can learn more about one of the most dangerous type of attack – Magecart – hitting mainly ecommerce websites.

Want to have an in-depth understanding of all modern aspects of Magecart? Read carefully this article and bookmark it to get back later, we regularly update this page.

Magecart hackers usually target online shops developed with Magento CMS and aimed at stealing customers' credit card info. This kind of attack is also known as supply chain attack, web skimming, or e-skimming. The JavaScript code injected into the code during the attack is also usually called Magecart.

Firstly, cybersecurity experts noticed this criminal group activity in 2010, although the Magecart became wide-known not so long ago. For over 10 years of observation, the Magecart attack was detected about 2 million times. Totally from 2010, the Magecart is responsible for hacking more than 18,000 hosts. To drive malicious code, criminals used 573 domains with approximately 10,000 download links with Magecart malware.

Today researchers are reporting a new series of Mageсart attacks. Criminals changed tactics and automated attacks. Now they are looking for badly tuned buckets, infecting any websites and JavaScript files that they can reach.

Since April 2019, cybercriminals have compromised over 17,000 domains by posting JavaScript code (also called ‘skimmers’) on these websites. Vulnerable resources hosted content related to emergency services and chat forums for firefighters, police, and security professionals.

According to Computerweekly during COVID-19 pandemics Magecart attacks on online retailers jumped by 20%.

Who Is Under Magecart Attack?

In 2018 the British ticket company Ticketmaster suffered a notable Magecart attack. Criminals introduced a skimmer through the customer support widget.

Later, a malicious script was found in the products of other providers. In general, more than 800 online stores and about ten thousand users suffered from Magecart.

In 2019, Magecart attackers used Amazon S3 buckets misconfiguration to infect more than 17,000 websites. The criminals scanned the web looking for incorrectly configured S3 storages with JavaScript documents and brought a malicious script to inject the skimmer.

The new attacks on eCommerce sites are generally similar to the previous Magecart attacks, but there is a relatively new group behind them, which the experts called Magecart Group 12. In total, they attacked 277 services related to booking airline tickets, online cosmetics and clothing stores, and so forth.

In addition to the JavaScript code, specialists also discovered additional code called jqueryapi1oad. The criminals used it during a long malicious campaign that began in April 2019. The code installs checks for bots and sets the jqueryapi1oad cookie with an expiration date based on the results of the scan, and also creates a DOM element on the page.

Then, additional JavaScript code is downloaded, which, in turn, loads a cookie associated with the Traffic Distribution System (TDS) to redirect traffic to fraudulent ads as part of the HookAds malicious ad campaign.

Analysts assess that a malicious script works on average about twenty days. However, once in a while a skimmer can stay on the web page for years, stealing the records of website traffic. Some Magecart criminal groups used the purchased Inter Skimmer Kit, which has been on sale via the dark web for more than a year.

So, it means that theoretically each and any online store can be at risk of Magecart Attack!

Very often it happens that the data stolen from websites is sold via Dark Web. Now you can check for free if your website data is on sale with the help of ImmuniWeb Domain Security Test.

How Does Magecart Attack Work?

How we already said Magecart is mainly distributed via malicious JavaScript code injected in downloadable plugins or addons for Magento online shops. Lately, attackers started to use banner ads to distribute skimmers. According to the researchers, nearly a 5th of all malicious commercials on the net incorporate Magecart attack scripts.

Although hackers often infect sites that are not online shops at all and do not even have payment pages, experts say that by emphasizing the number of attacks, the attackers managed to inject skimmers into a sufficient number of payment pages. It is reported that among the victims were companies that provide services to other sites, the infection of several JS-files led to the malware spread over thousands of other resources.

In 2019 during fulminant attack, cybercriminals hacked nearly 1000 e-commerce websites in just 24 hours, proving that they did not act manually, but used automated tools instead. Most of the affected resources were small e-shops, although there are also several large enterprises among them.

The skimming script was used to steal information from visitors of online stores, in particular, data from their bank cards, names, phone numbers, and addresses. Then the script records all the data entered on payment pages and caches them in the browser until the victim refreshes the page or switches to another tab. The stolen data is then sent to a server controlled by cybercriminals.

How to Secure from Magecart?

To protect your company from Magecart Attack, make a complete inventory of your digital assets using ImmuniWeb Discovery. It finds all possible web and mobile applications, sets a security score for each of them, and shows which apps are critical for fixing. Moreover, it can search the Dark Web, cloud storages, and code repositories for all possible data leaks.

This approach of Attack Surface Management and Dark Web Monitoring allows you to get a complete view of your digital system security status.

After a complete inventory you can proceed to the AI-enhanced penetration testing which ultimately protects your organization from any security threats, including Magecart Attack and other most modern hacker attack methods that cybercriminals constantly invent.

Additional Resources

• Learn more about AI-enabled Attack Surface Management with ImmuniWeb® Discovery
• Learn more about AI-enabled Application Penetration Testing with ImmuniWeb
• Learn more about ImmuniWeb Partner Program opportunities
• Follow ImmuniWeb on Twitter and LinkedIn