Magecart Attack

About Magecart

Magecart is a type of data skimming, which is done to steal the data from online stores, there is no harm caused to the online stores but the data of customers is taken from these websites and the credit card details of the customer are acquired by placing malicious codes into the websites. Most frequently when the customer is about to checkout and do the final payment for the products or services this time the code works and redirects the customer to a different page which does not belong to the online retailers but looks very much similar or it starts to extract the sensitive information from the original website. It is not possible for a common man who is making the payment to know that whatever data he is entering at the final payment stage is being extracted by someone else.

Functioning of Magecart

There are various steps involved in this process, it is a well-established pattern and all these steps are important to acquire the data of the consumer. First one is to gain the access of the targeted website, the cyber criminals first set their target and get all the relevant information about the website and its functioning, the main information is about any third party supplier, many websites have a contract with the suppliers who supply the code for improvement or additional features for the website. The person who wants to gain access can do it by directly placing a skimming code into the main server and breaking into the main infrastructure of the website, researchers have identified 40 different ways to inject the code by breaking through the server of the website.

The next step is to skim sensitive data once the code is placed, there are lot of different ways to gain access to the data but usually the skimming code is some sort of Java Script which is programmed in such way that it would record the whole sensitive data the most important being in this case is the credit card number and the CVV code or the code can redirect the information to another domain which is operated by the attackers, and this programme code is hidden behind some other code to avoid the detection and the malicious intent of the attackers.

The last step being the simplest comes when the website is tampered with the code and the intake of important data is done, the only thing remains is to send the information to almost anyone at any location through internet. These attackers have their own portals and websites to sell such data they just don’t use it for their own benefit but the sell the data which is more profitable and less risky, because the one who misuses the data is the criminal according to law, once the data is sold it is not that easy to track them down.

There is another form of attack involved in magecart that is the supply chain attack which is more dangerous than the above mentioned process, the target under this type of attack are the one who provide supply codes to the website according to their need, not every website have their own scripts to work on codes for upgradation or any new system so they hire someone who can provide them with all the coding. The attacker targets such suppliers and enter the skimming code into their programs, by this way the attackers get access to not only one website but of each and every website for whom the supplier integrates the program.

Identity of Magecart

There is no specific organisation or any group behind Magecart, it is a type of cybercrime which is exercised all around the world and there are several groups who use the same modus operendi. There are famous groups by numbers like Magecart group 12, Magecart group 7 and etc they have come one after another Magecart attacks like when the first attack took place it was done by Group 1 of Magecart and then Group 2, 3 followed it. The latest attack was done by Group 12. These attackers mostly pray the websites who have taken codes or have hired them for other services to run the website it is now a common practice to have 50 different codes set by developers who are hired. The codes which are run by the owner of the website himself is called the first party code and the codes which come from the suppliers are third, fourth or even fifth party code, also the person who gets the code from an outsider is unaware about the fact that the outsider who has designed the code can get the same amount of privilege that the first party code developer has originally.

Cases related to Magecart

The very first magecart group actively emerged in the year 2015, but we can trace its origin way back to year 2000 when the experts found that there was a skimmer code with the name of cart32 which was exposing the details of credit cards belonging to the customers of small and medium sized e-commerce vendors, in the year 2007 few e-commerce websites complained about persistent attacks and compromises through some unique tools and techniques, further in 2011 experts analysed the pattern and they mentioned that the compromises were done to inject iframes into legitimate e-commerce websites, which then mandated the users to download the data stealing malware by giving it a different face. From 2013 the attackers started targeting websites based on magento PHP scripts, they modified the scripts in such manner that it started recording the sensitive data of the consumer without the knowledge of the e-commerce vendor. Few cases are such that small and medium sized e-commerce websites wilfully may enter such codes to record the sensitive data and later on put the blame on the attackers with whom they have a contract of profit sharing.

As mentioned above the first magecart group emerged in the year 2015, the attack took place in the year 2015 but the domains used for the attack were created back in early 2014 for creating some history and for backup. This group targeted US job seekers and lead them to ship the items to Europe which were purchased from stolen credit cards. For the very first time the skimming code was brought into the picture by the attackers. Other famous cases are mentioned below.

TicketMaster

On 27^th June 2018, Ticketmaster a company involved in selling and distributing of various tickets online announced that their websites across the globe are been compromised and the attackers have access to the card information of many customers it was found that under this attack nearly 800 websites were compromised. In this case the main Ticketmaster codes were not compromised but a third-party code was found to be skimmed named Inbenta which is the supplier of Ticketmaster. This was a first third party supplier attack, before this the magecart group used to conduct the attacks on single-single websites by compromising the first party codes, but for the very first time they attacked a third-party supplier, Inbenta in this case which gave them the access to more than one particular website. Further investigation claimed that the attackers had placed the code in 2016 itself and they have been observing the activities happening on the website. According to Ticketmaster’s official statement only the following websites were compromised and data from these following websites was stolen Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb, but in actual many other websites of ticketmaster were compromised.

British Airways

British Airways communicated on 6^th Sept 2018 that there is a breach into their website which has caused theft of customer data, further it mentioned that data of around 380,000 customers was stolen and the data mainly consisted of personal and payment information. In this case British Airways themselves declared that the website has been compromised and the payment information has been leaked of those customers who have paid via the website as well as the mobile application between 22:58 BST August 21, 2018 – 21:45 BST September 5, 2018. In this case no third-party supplier was attacked, only the British Airways official website was compromised by entering a Java script which was designed very carefully. The Java script was injected and the script was designed in such manner that it sent the data of the customer when the customer hit the submit button on the baggage claim page. The server which was receiving the information was baways.com, this domain name was hosted on 89.47.162.248 which is located in Romania, this time the attackers got the VPS (Virtual Private Server) from Time4VPS which is based in Lithuania. Also, the server was loaded with SSL (Security Socket Layers) certificate which was a paid certificate from Comodo instead of free certificate from LetsEncrypt to avoid the detection and made it look like a legitimate server.

Macy’s Magecart Attack

Macy’s a famous American department store chain reported in the month of October 2019 that its website is facing some troubles and after investigation it was found that the has been some skimmer code inserted which was taking away the credit card information of its customer while they were making the payments. They further stated that some unknown source scripts are placed into their websites which was a card-stealing malware script this activity was taking place from 7^th to 15^th October in the year 2019. This was one of the most unique attack done by the magecart group first reason being that the magecart group this time didn’t target any third party supplier but the made changes into the Macy’s own script, second reason is that the skimmer code was not just placed on the payment or checkout page but it was placed in the page which allowed the customers to add money into their virtual wallets, this was done because maximum users use to add the money into their wallet first by entering all the card details just once and later during the time of checkout they easily used to pay from the wallet. The attackers had observed the customer journey very minutely and were successful in taking all the data of customers who used to the website from 7^th to 15^th October.

Olympics Tickets and Survival Kits Magecart Attack

This attack is one of the most recent and well-known attack in which the attackers targeted a website which was formed for reselling of Tokyo Olympics tickets and Euro 2020 Tournament tickets which is an International Football Tournament scheduled in June 2020 the Domain name of the website were olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by placing a skimmer code which used the domain opendoorcdn.com for extracting the data. Meanwhile when the news of Corona Virus broke down the attackers triggered websites like be.prepared.com which sells online survival kits and Augason Farms website which sells emergency food supplies, a similar domain name was found to be skimmed in both of these websites by the name of storefrontcdn.com, both of these websites are owned by Blue Chip Group Manufacturing because of this it was easy for the attackers to get the access of both the websites.

In the month of December 2019 first arrest was made in Indonesia of Magecart attackers, 3 people were arrested by combined efforts of Indonesian Police and Interpol the suspects are charged for conducting multiple magecart attacks, they are said to be active from 2017 and from the data stolen they have purchased electronic and luxury goods also they have resold the goods purchased with credit cards of which the data was stolen through various magecart attacks.

How to Avoid a Magecart Attack

It is not east to detect a magecart attack the main reason being that the one who is being attacked suffers no loss out of it, the losses are suffered by their customers and when a customer will report a problem only then the action can be taken, also it is not possible to audit the original codes with the current codes frequently and even if it is done many of the codes come from third party supplier which cannot be audited by the website owner. The only thing that can be done is to take zero trust approach and allow certain scripts to work which are coded by the website owner when the sensitive data is entered but with the available browsers in the market running such scripts is a difficult task, and also it is avoided by the small and medium sized online vendors. Another precaution which can be taken to prevent the access is by intercepting all the API calls done from their websites. Mainly the third party supplier is responsible for such breaches being the easier target, to avoid this the vendors can encrypt their system in such manner that whenever the third party code gets access to sensitive data an alert shall be sent to the owner of the website to track down the reason behind such access. The customer can also protect themselves by using modern tools to do payments like the most secured being the Apple Pay which generates a different number for each and every transaction, also other payment wallets are available nowadays which don’t need the credit card information each time the payment is made. In this manner a magecart attack can be avoided, further the governments of respective countries should also take measures to avoid such attacks by recognising such crimes and making people aware of it, also they can post guidelines for the online vendors and the customers which are to be followed to avoid the attacks.