Getting Up to Speed on Magecart

Greater awareness of how Magecart works will give your company a leg up on the growing threat from this online credit card skimmer. Here are four places to start.

Casey Quinn, Associate, Newmeyer & Dillion

June 11, 2019

5 Min Read
Dark Reading logo in a gray background | Dark Reading

If you're not yet familiar with Magecart, you should be. On May 3, it was revealed that hackers used it to steal payment info from hundreds of online college bookstores. By some estimates, Magecart attacks have resulted in the theft of more credit card information than the high-profile breaches at Home Depot and Target. Beyond the college bookstores, it has hit the likes of Ticketmaster, British Airways, My Pillow, and Newegg in the last year alone. It's time you got up to speed on the topic.

Magecart (pronounced like "age-cart," but with an "m" at the beginning) is a method used to attack the payment systems of online vendors. It is a credit card skimmer (like those attached to the magnetic stripe readers at gas pumps) that intercepts card numbers and information when a payment card is swiped at the point of sale. The data is then saved or transmitted to be used illegally later. However, unlike at the gas pump, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, even for knowledgeable IT professionals, because it takes advantage of universal code and other applications not typically related to payments.

Since first appearing in 2014, Magecart has been adapted by several different groups and for various targets. Each iteration tries to adapt to whatever defenses it encounters and seeks to exploit new vulnerabilities, making it difficult to effectively predict and stop. Leading researchers, like Yonathan Klinjsma, believe the various Magecart breaches have been carried out by at least 12 different groups since the method was first used and have noticed the groups moving beyond credit cards to steal credentials and administrative information as well.

Generally speaking, payments over the Web are relatively secure, with vendors using PCI DSS-compliant systems. As companies look to cut costs and increase efficiency, many use open source code to simplify the coding process and make it more uniform across the board. Others use third-party vendors to handle their payment systems. Although not necessarily bad ideas, these solutions present enterprising hackers with an opportunity to exploit common weaknesses and employ the Magecart attack.

The Newegg.com Breach
Despite not yet being a household name, Magecart is a growing problem. Last year's breach involving Newegg.com illustrates what Magecart does and how it works. According to Volexity Threat Research, on August 13, 2018, the Magecart attackers registered a domain name called neweggstats.com (indicating that the Newegg website was likely compromised beforehand). That same day, the attackers obtained an SSL certificate enabling the new domain to have an air of legitimacy when browsers communicate with it. The skimming started three days later when hackers added eight lines of malicious code to the payment page and continued for almost a month before it was removed.

More specifically, the Magecart attackers inserted malicious JavaScript code on a single page presented during checkout. To get to that page, a customer had to put an item in the cart and input shipping information. At that point, the customer was taken to the payment page that contained malicious code. Once the customer input their information, it was transferred to a Magecart drop server where the back end of the skimmer saved the information. Once attackers accumulated a significant amount of credit card information (about 500,000 credit card numbers), they listed it for sale on underground markets.

Not surprisingly, Newegg revealed little about how exactly it was compromised. Regardless of whether it was poor IT security protocols, bad password management, or human error, if Newegg had tighter controls, this might have been avoided. It appears that whatever security protocols Newegg had in place failed to identify that a breach occurred for nearly a month. The Magecart attackers certainly made a significant effort to ensure that their actions were not obvious, but it is fair to say that the attack went on longer than it should have.

Protecting Your Company
A seemingly endless supply of online retailers and unassuming consumers who are relying on third-party code or other similar systems to facilitate purchases means Magecart is likely to remain a threat. But being aware of Magecart and how it works should give your company an advantage in protecting itself as you consider the following four measures:

1. Reevaluate your current cybersecurity infrastructure. Your system probably already includes some type of logging and a way for reviewing it, but would you, or your IT team, know if a hacker added eight lines of code to your website's payment page? Regardless of the answer, it is always good practice to regularly ensure that your cybersecurity system is prepared for current threats.

2. Is your IT team aware of what Magecart is? Do they know how they would respond? Do you have a cybersecurity incident response plan in place? The way it developed, it appears Newegg found out about the breach from someone else and then had to be reactive instead of proactive. If a researcher contacted your company to alert you about a breach, would you know what to do? Do you have a plan in place for evaluating any damages and communicating about the situation to your customers?

3. Carefully consider the vendors you use for your business (both online and offline), especially with regard to public facing critical systems like the checkout page. Strive to ensure that your vendors have their own cybersecurity response plan in place and are doing all they can to avoid needlessly exposing your data.

4. Avoid payment methods that require transmittal of critical credit card information. Visa has addressed this with a token system in its Visa Checkout system. While it may not be a perfect solution, it is one that removes the exchange of credit card numbers at checkout and that can protect both you and your customer.

About the Author

Casey Quinn

Associate, Newmeyer & Dillion

Casey Quinn is an associate in Newmeyer & Dillion's Las Vegas office, and a member of the firm's privacy & data security practice. Casey brings his substantial experience in complex business litigation to the table helping businesses proactively navigate the legal landscape of cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights