Magecart attacks - can your business stay secure?

View all

Magecart attacks - can your business stay secure?

September 2018

Is it possible to keep hackers like Magecart at bay?

At least three major businesses have been compromised in a spate of cyber attacks over the past few months. As many as 800 other ecommerce websites around the world may also have been affected.

The attacks are believed to be the work of a known cybercriminal group, Magecart. This group of hackers has shown itself to be capable of using generic attacks to target hundreds of online businesses, with more specialised attacks designed to take on bigger targets like British Airways.

BA, Ticketmaster and Newegg have all made headlines with their loss of customers’ personal and financial data in these attacks, though they are likely just the tip of the iceberg. The breaches come just a few months after the implementation of GDPR, which could compound the frustrations of a trying few weeks with a large fine.

By all accounts, Magecart’s attacks were subtle, highly targeted and difficult to spot, but could something have been done to stop them? In this article, Nexor explores how other internet giants can avoid a similar fate.

What are the Magecart attacks?

Before we can work towards a solution, we need to understand the problem. Magecart’s attacks look to have intercepted data before it reached the provider’s server, circumventing security measures like encryption.

The issue really lies in a compromise of the information exchange between the customer and the provider. The following example breaks down a typical attack:

The customer wants to buy something from the online provider. To complete the transaction, the provider requests payment from the customer and sets up a secure communication channel. The customer enters their payment information. However, unknown to the provider and customer, the provider has been hacked, sending additional information to the customer’s web browser asking for a copy of the payment details to be sent to the attacker.

In the above example, the secure information exchange channel has been opened, but has been compromised from the start by an undetected attack on the provider’s site. The attack is essentially a digital version of the card skimmers used to copy payment details from physical cards used at ATMs.

What made them so difficult to avoid?

Magecart, the group thought to be behind all the attacks, achieved their goals by injecting their code into the websites through third-party suppliers. Thus, it was the third-party supplier that was really breached, even though it was the website’s data that was compromised. While this fact may lessen the GDPR fines that these businesses are presented with, it makes the actual attack much harder to identify than it might have been otherwise.

In the cases of BA and Newegg, the nature of the attacks were only discovered by intense research from California-based cybersecurity company RiskIQ. Upon close inspection of changes in the BA website’s scripts over time, they were able to identify suspicious changes that matched up to the start of the attack.

Magecart had attempted to cover its tracks by paying for a secure server and requesting that data be sent to a legitimate-looking domain: baways.com. This tactic made the changes much less obvious, allowing them to go under the radar for several days.

What are the consequences for companies like British Airways?

The immediate consequences for affected businesses are the hits they have taken to their reputations and finances. The BA attack alone affected some 380,000 people, damaging the company further after their history of IT troubles and requiring them to compensate anyone who had been financially impacted by the breach.

Equally troubling for these companies is the possibility of repercussions from the Information Commissioner’s Office, newly empowered by the GDPR and the UK’s Data Protection Act 2018. If the full force of the new fines is brought to bear, BA could stand to lose around £500 million.

For various reasons, experts consider the highest sanction unlikely for victims of the Magecart attacks. The key mitigating factor is the way the attacks circumvented many security measures that the ICO could expect these businesses to have in place. It is likely that the Information Commissioner will want to show the strength of the new measures, but will have to do so in such a way that takes into account the difficulty of preventing this kind of attack.

How can companies protect themselves against these breaches?

The Magecart attacks are interesting in that they highlight flaws in these companies’ processes, rather than their technology. The crux of the issue lies in the compromised third party suppliers, many of which have been identified by RiskIQ.

If a website is relying on third-party suppliers for certain functionality - as many do - it is essential that these sites track security statements from their suppliers and remain aware of security breaches. It is commonplace for third-party suppliers to put corrective updates in place should a breach occur, which need to be applied by their clients as soon as possible.

To protect themselves against Magecart’s attacks and similar threats, organisations need good SecDevOps processes in place. Tightening up your SecDevOps processes allows the business to remove vulnerabilities and spot any irregularities that could be signs of an attack. It helps keep the code of your own website secure and helps the company to ensure that third-party suppliers are not causing security issues.

Nexor’s SecDevOps consulting programme is one way to get your company the expertise it needs to guard against Magecart attacks and others like them. Our experts will work with your developers to ensure that their practices are security-conscious and well-equipped to deal with threats before they cause issues like those we’ve discussed in this article. Get in touch today to find out more.

Read more posts on