Magecart Attack: Types, Examples and Prevention

This guide provides an overview of the Magecart attack, including its types, how it works, real-world examples, and prevention methods in cyber security.

What is Magecart?

Magecart is a term used to describe a variety of cybercriminal groups that specialize in stealing digital credit cards by skimming data during online transactions. The name “Magecart” originates from their early attacks targeting websites using the Magento platform, although they have since expanded their scope to other e-commerce platforms.

What is a Magecart Attack?

A Magecart attack is a type of cyberattack where hackers inject malicious JavaScript code into a website, usually the checkout pages of e-commerce sites. This code is designed to capture sensitive information entered by users during the checkout process, such as credit card number, name, expiration date, and CVV code. Once collected, this information is transmitted to servers controlled by attackers, who either use it for fraudulent transactions or sell it on underground markets.

How Magecart Attacks Work?

Magecart attackers typically follow a sequence of steps to carry out their attacks:

1. Infiltration

The attacker gains unauthorized access to the target website through various means, such as exploiting vulnerabilities in the website’s software, compromising third-party components, or using stolen credentials.

2. Code Injection

Once access is gained, the attacker injects malicious JavaScript code into the website. This code is often hidden to avoid detection and can be inserted into various parts of the website, such as payment processing pages or shopping carts.

3. Data Skimming

The injected code acts as a digital skimmer, capturing payment card information entered by unsuspecting customers during the checkout process. This information includes credit card numbers, expiration dates, CVV codes, and sometimes even personal information.

4. Exfiltration

The stolen data is then sent to servers controlled by the attackers, typically using encryption and other obfuscation techniques to avoid detection.

5. Monetization

Stolen payment card information is sold on the dark web or used by attackers to make fraudulent purchases, causing financial losses to both affected customers and targeted businesses.

Types of Magecart Attacks

These can be classified into two main types:

1. Direct Website Compromise

The most common type, where malicious code is inserted directly into the victim’s website. This allows the attacker to perform data skimming which involves copying data from the user while filling out a payment form, known as formjacking.

2. Supply Chain Attacks

Supply chain attacks target third-party components and services used by a website, such as payment gateways, advertising networks, analytics platforms, content delivery networks (CDNs), chat services, or customer rating systems. By compromising one supplier, they can affect multiple websites at once.

Examples of Magecart Attacks

Magecart has been responsible for several high-profile breaches in recent years:

▪ British Airways

In 2018, British Airways suffered a Magecart attack that compromised the payment card information of over 380,000 customers. The attackers injected malicious code into the airline’s website, allowing them to skim payment card details during the booking process.

▪ Ticketmaster

In 2018, Ticketmaster fell victim to a Magecart attack that affected its online payment page. The attackers injected malicious code through a third-party chatbot, compromising the payment card information of millions of customers.

Prevention Methods

Preventing magecart attacks requires a multi-layered approach, below are some mitigation strategies and cybersecurity best practices to consider implementing:

For Businesses:

1. Regular Security Audits: Regularly scan for vulnerabilities in your website and its third-party components.
2. Content Security Policy (CSP): Implement CSP to control the resources allowed to load on your website.
3. Subresource Integrity (SRI): Use SRI tags to ensure that the content loaded from external sources hasn’t been tampered with.
4. Monitor Third-Party Scripts: Regularly review and monitor all third-party scripts running on your website.
5. Segmentation and Isolation: Isolate critical systems like payment gateways from other parts of your network.
6. Employee Training: Educate your employees about the latest cyber threats and best practices.
7. Incident Response Plan: Develop a comprehensive incident response plan.

For Consumers:

1. Secure Connections: Only make purchases from websites using HTTPS.
2. Vigilance with Personal Information: Be cautious about the amount of personal information you share online.
3. Regularly Monitor Accounts: Regularly check bank statements and credit reports for unauthorized transactions.
4. Use Payment Services: Consider using payment services like PayPal, which don’t require entering card details on the merchant’s website.