A recent study by Qubit has highlighted a 70.7% increase in online shopping, which has been attributed to the COVID-19 pandemic and closure of physical stores. The increase has made the prospect of credential theft and card skimming a particularly profitable and abundant criminal venture.
Research by the software company Cyberpion highlights that more than 10,000 websites and applications are vulnerable to card skimming or "Magecart" attacks.
These attacks involve malicious code being inserted on the target website, either directly or through hijacking of applications or plugins. The code is then executed client-side on the user’s browser, resulting in credentials and potentially payment details being stolen by the cyber-criminal.
Magecart is a term first coined by cyber security company RiskIQ in 2016 and is a contraction of the words Magento, which is a prolific open-source e-commerce platform, and shopping cart.
Magecart attacks begin with the compromise of a target website, either directly or by supply chain attack through its third-party services such as applications or plugins. Once this compromise is achieved, the most common method of attack is the injection of malicious JavaScript into the website or third-party service. This is then executed by the user’s browser, with the goal being the exfiltration of sensitive form data, including payment card details submitted at checkout pages.
Exfiltration can be achieved in many ways, such as the use of a simple POST request within the code, or quite uniquely through obfuscating the stolen information within image files, a technique known as steganography.
Several tracked criminal groups specialise in this style of attack include Magecart Group 7, 8 and 12, who have specific tactics, techniques and procedures (TTPs).
Magecart attacks appeared to peak in 2018, with high profile attacks on Ticketmaster, British Airways and Newegg, but have continued to evolve and develop, on average costing the target company $50-200k in fines and recovery costs.
Many Magecart attacks come in the form of prebuilt skimmer packages, which are bought/sold on darkweb marketplaces and hacker forums, which can then be configured by a cyber-criminal for their own use.
A large proportion of shoppers now use their mobile phone as their primary browsing device, with research suggesting that around 75% of online purchases are made via a browser on a phone. As such many Magecart skimmers are now being designed to specifically target mobile devices such as the MobileInter skimmer, which performs mobile browser checks prior to execution, only targeting.
The compromise of websites with malicious Magecart JavaScript can often be detected using the free online tool URLscan.io (see image below). By performing a scan on a website (1) and navigating to the HTTP transactions menu (2) and Scripts section (3), it is possible to analyse all the JavaScript code being run on the website.
As an example, below are the results from a website known to be infected with Magecart script. The malicious code can be easily identified, as it is being hosted on an OVH IP (4), standing out from other scripts which are being hosted on the websites IP, or other genuine third-party scripts belonging to Google.
By clicking on the 'Show Response' button (5) it is possible to view the JavaScript code, which is obfuscated, a clear warning sign of malicious activity. This can occasionally be de-obfuscated by using online tools such as de4js or similar, but many attackers will use unique techniques to obscure their code and frustrate analysis.
It is common to see an increase in Magecart skimming attacks in the run up to Black Friday and the festive season, due to the increased opportunity seasonal shoppers present to criminals.
In December 2020, there was a surge of skimming attacks involving malicious PayPal iframes, which imitated the genuine checkout process of compromised websites, and it is likely that similar attacks will occur this year.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Kommentare