Security: Top-ten MageCart victims

Thousands of ecommerce sites have fallen victim to MageCart attacks, scraping credit card details and defrauding customers. Here as some of the biggest

When Amazon and other ecommerce websites were first set-up, their potential customers were often reluctant to use them.

It wasn't just the slow pre-broadband-era speeds that were off-putting, but security: how could you trust a non-physical website, which could be located anywhere, to look after your precious payment details?

Today, few people think twice about tapping in their credit card details into almost any site in order to acquire new items of tat online. But payment security has become a big issue with formjacking techniques called Magecart perpetrated by a number of attack groups able to run rampant, compromising the payment pages of hundreds - possibly thousands - of ecommerce websites.

Ironically, perhaps, the Magecart series of payment skimmers started around 19 years ago with a backdoor to the Cart32 shopping cart software. It doesn't look like much has changed in the two decades since then.

Who, or what, is Magecart?

Magecart isn't a single group of attackers, but an attack technique that involves the injection of malicious code into ecommerce sites in order to ‘grab' payment information as it is keyed-in.

Malicious JavaScript code acts as a form grabber, or a simple ‘cloud based' keylogger is injected into breached shops. As buyers fill in their payment details, the data is captured and sent in real time to the attacker, according to ClearSky Cyber Security in a 2016 research paper.

"This method is different than other ways of stealing payment details, such as infecting the buyer's computer, implanting malware in point-of-sale terminals, or dumping entire databases from breached online shops," it continued, adding that even sticking rigidly to PCI standards won't protect an organisation from Magecart.

Attackers first need to compromise a target, perhaps by exploiting a vulnerability in the web platform or acquiring, one way or another, admin credentials. Then, they typically add a <script> tag to load malicious JavaScript from one of the domains they own directly into the payment page.

"The malicious JavaScript code is served over HTTPS with a valid SSL certificate. Using HTTPS is important for the attacker to keep its malicious activity undetected, because script loaded over HTTP would trigger a "mixed content" warning to the user," continued ClearSky.

Part of the problem of keeping payment pages secure is the number of scripts that are typically fired up when the ‘check out' button is clicked, according to security consultancy RiskIQ.

The British Airways website, for example, "spins up around 20 different scripts and loading the booking sub-page bumps that up to 30. While 30 scripts might not sound like much, many of these are ‘minified' scripts spanning thousands of lines of script", it warned in a research paper released following yet-another Magecart attack.

Here, then, are some of the biggest or most high-profile victims of Magecart (that we know of...)

10) Infowars

Infowars is arguably the internet's best-known website for conspiracy theories and other forms of online lunacy. It is probably, however, highly lucrative for its founder and ranter-in-chief Alex Jones - America's answer to David Icke - making it a prime target for Magecart.

It was revealed in November 2018 that the organisation's online store had been compromised with credit-card skimming software that would have sent buyers' payment details to a server based in Lithuania.

However, it wasn't Alex Jones himself that first discovered the Magecart compromise, according to BleepingComputer, but security researcher Willem de Groot who has specialised in such attacks.

9) Topps.com Sports Collectible

If you're not into trading American sports cards and collectibles, then you'll probably not be familiar with Topps.com. However, for almost two months, from 19th November 2018 to 9th January 2019, the company's payment pages were compromised by a malicious script that siphoned off customers' debit- and credit-card details, and much else besides.

In its mealy-mouthed breach notification it claimed that "it is possible that this incident compromised names, mailing addresses, telephone numbers, e-mail addresses, and payment information".

While the notification introduces an element of doubt, there really shouldn't be: When Magecart strikes, all these things are very definitely compromised, and while mailing addresses aren't easy or cheap to change, payment cards certainly should be.

The company added that it had since upgraded the software behind its payments systems and that everything was therefore a-okay - implying that a large part of the reason why it was breached may have been because it hadn't kept critical software infrastructure up-to-date.

Next: Eight to five - Fila UK, OXO International, Sotherby's and Adminer

Security: Top-ten MageCart victims

Thousands of ecommerce sites have fallen victim to MageCart attacks, scraping credit card details and defrauding customers. Here as some of the biggest

8) Fila UK

Christmas 2018 was certainly a busy and highly profitable time for the groups behind Magecart web-skimming attacks. It wasn't just Topps.com in the US that had been nobbled, but also the purveyor of brightly coloured threads to gormless youths, Fila UK.

And it's not just the models of Fila's clothes that appear to be somewhat gormless, but also the company's security team - the compromise would appear to have lasted around four months, from November 2018 to March 2019.

According to Russian security outfit Group-IB, Fila UK had the privilege of being targeted with a new JavaScript sniffer, dubbed GMO. "Group-IB's Threat Intelligence team first discovered GMO on the FILA UK website," it revealed.

"The malicious code was detected in early March 2019. In the course of further research it was revealed that GMO JS Sniffer has presumably been collecting customer payment data since November 2018."

Groupe-IB guestimates that some 5,600 customers were exposed, which is a surprisingly high number given the state of Fila's merchandise.

7) OXO International

OXO International - not to be confused with the stock cubes made by Premier Foods - makes all kinds of funky kitchen utensils. Unfortunately, its IT security doesn't appear to be as good as its ‘Good Grips' meat tenderizers.

In December 2018, OXO International was forced to issue a warning that the company's customer and payment information systems might have been breached, not just once, but numerous times in the previous two years, in a string of attacks that, it would appear, were perpetrated by more than one group.

Despite this evidence of lackadaisical IT security, OXO International insisted in a letter to customers that it took "the protection and proper use of your information very seriously", and added that it believed that "the attempt to compromise your payment information may have been ineffective".

Not half as ineffective as OXO International's IT security, it seems.

6) Sotheby's

Sotheby's might not be everyone's first port of call for home furnishings, but anyone purchasing goods via the Sotheby's Home website will almost certainly have a decent credit limit, making it a pretty tasty target for scammers.

However, it only admitted that it had been compromised three months after it became aware of the intrusion in October 2018, and even then the company was unclear about whether customers had their valuable personal and payment data filched.

It claimed in press statements that JavaScript skimmer installed on its payment pages "may have transmitted personal information you entered into the website's checkout form" to a third party.

We'll help them out here: there's no "may" about it - they were and anyone who bought anything from the website from August to October last year should have cancelled their cards ASAP, if they didn't when hefty purchases for gear at Belorussian ecommerce sites turned up on their monthly statements.

Sotheby's Home was only formally launched at the beginning of 2018, so getting hacked within its first year hasn't exactly made for an auspicious start.

5) Adminer

Supply chain attacks are increasing, and open-source offers something of a soft underbelly: most projects are administered by enthusiasts who just want to develop their tools in peace. So when attackers started taking advantage of security flaws in Adminer, a popular PHP tool for administering MySQL and PostgreSQL databases, it opened up hundreds of ecommerce sites to attack.

Adminer enables administrators to manage multiple databases via a GUI inside a web browser. The tool needs to be installed on servers, but is also bundled with various plug-ins for WordPress and the Magento open source ecommerce suite.

However, once installed, administrators need to secure it with, at the least a password - and many failed to do so. As a result, warns Sanguine Security, it can be used to fetch passwords and, therefore, to access to websites running Magento, WordPress and any other database managed using Adminer, which hasn't been updated to the latest, secured versions.

"Exploitation happens in three stages. First, the attacker needs a modified MySQL server, which is altered to send out data import requests to any client that connects.

"Second, an attacker needs to find an open adminer.php on the victim system. That is not hard, as many people install it in the root of their site. Once found, the attacker can instruct Adminer to connect to his rigged MySQL server.

"Adminer will then connect to the foreign server, login with the credentials, and immediately receive a data import request from the server for a specific file...

"Third stage: as the attacker now has the master password for the victim site, he can use the same Adminer to access the database of the victim. And continue to steal private data or inject a skimmer."

Adminer 4.6.3 was released in June 2018 and attacks linked to Magecart exploiting the security flaw were observed from October 2018. Users have been urged to upgrade to the latest version as a matter of priority.

Next, the top four - Cancer Research UK, Newegg, British Airways and Ticketmaster

Security: Top-ten MageCart victims

Thousands of ecommerce sites have fallen victim to MageCart attacks, scraping credit card details and defrauding customers. Here as some of the biggest

4) Cancer Research UK

Charities, auctioneers, spatula manufacturers - it's all the same to the cyber criminals behind Magecart. Typically, the attacks are automated and not initially targeted, unless a chink is found in a major organisation like, say, one of the world's largest airlines.

Details about the compromise of the Cancer Research UK online giftshop, which is unlikely to be a massive money-spinner, are sketchy and it was only mentioned in passing in a RiskIQ report - among a slew of other victims - before being picked up by national news media.

However, it should be a warning that no shop, large or small, virtuous or otherwise, is immune from Magecart and the cyber criminals behind it. "Any organisation that processes payments online is a target," warned security specialists RiskIQ.

3) Newegg

While electronics retailer Newegg doesn't have an online presence in the UK, with annual sales of $2.65 billion, it is nevertheless reasonably well known across the world. And, being an electronics retailer, customers would expect it to know better.

The Newegg compromise was uncovered just a week after the British Airways attack, and bore all the hallmarks of the same group. "The elements of the British Airways cyber attacks were all present in the cyber attack on Newegg: they integrated with the victim's payment system and blended with the infrastructure, staying there as long as possible," claims RiskIQ.

Prior to the attack, the group registered a domain name that to any Newegg IT staff might look legitimate - neweggstats.com, backed up by a paid-for digital certificate from Comodo.

"Around August 14th, the cyber attackers placed the skimmer code on Newegg, managing to integrate it into the checkout process and achieve their goal of disguising it well," write RiskIQ.

"The skimmer was put on the payment processing page itself, not in a script, so it would not show unless the payment page was hit. Hitting that page means a customer went through the first two steps—they would not be able to hit the checkout page without putting anything in a cart and entered a validated address.

"The URL for the page that would return the skimmer was: ‘https://secure.newegg.com/ GlobalShopping/ CheckoutStep2.aspxIntegrating' [and] with this process hid the skimmer and might help explain how it was on the Newegg website for more than a month.

"The skimmer code is recognizable from the British Airways incident, with the same basecode. All the cyber attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways. In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script."

Going live on 14th August, it was only removed on the 18th of September, and the skimmer worked with both the web site and mobile app.

With more than 50 million visitors every month, it's a fair bet that this attack claimed a large number of unsuspecting victims.

2) British Airways

While British Airways' website might only been compromised for 14 days - 21st August to 5th September 2018 - but as a result, the payment details of some 565,000 customers were compromised. And it wasn't just the website that was affected, but the mobile app - which scrapes much of its content and infrastructure from the website.

"This is an important aspect: when the user interacts with the app, they have a false sense of security that they are interacting with a closed and secure environment. Unfortunately the reality is different: in most cases mobile apps are just a front-ends for a web app. This means they are at risk of the same vulnerabilities as the web app itself," Paolo Passeri, cyber intelligence principal at security specialists Netskope told Computing.

The attack on British Airways, given the high profile of the target and well-heeled nature of many of its customers, appears to have been attuned to the company's website. "The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection," notes RiskIQ.

It adds that the registration date of digital certificates used in the attack indicate that the hackers had access to British Airways' internal IT infrastructure well before 21st August.

"Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible.

"While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets," warned RiskIQ.

What keeps British Airways off the top spot is that it was relatively quick to respond to the attack - relative to Ticketmaster - and didn't brush off knowledgeable warnings from outsiders.

1) Ticketmaster

What stands out about the Ticketmaster attack - giving it the unprestigious top spot over British Airways - is the length of time that the attackers had inside the systems of the global ticketing company: for FIVE MONTHS, between February 2018 and June 2018, while ‘International Customers' were exposed for nine months, between September 2017 and June 2018.

Not only that, when Ticketmaster was warned in early April by upstart bank Monzo that its payment systems had been compromised, it swore blind that everything was a-okay. It was only months later staff in the company's IT department came to the crashing realisation that hundreds of thousands of its customers could have been ripped-off by its lackadaisical website security.

Indeed, Monzo's account about what happened at Ticketmaster is arguably more enlightening than Ticketmaster's own somewhat grudging explanation.

"We spotted signs of this breach back in early April," Monzo's head of financial crime, Natasha Vernier, claimed. The link was made after around 50 customers had contacted the bank complaining of potentially fraudulent activity on their accounts.

"After investigating, our Financial Crime and Security team noticed a pattern: 70 per cent of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster…

"Within four-and-a-half hours, the team rolled out updates to our fraud systems to block future transactions on other customers' cards that looked suspicious in a similar way.

"That evening, we reached out to other banks and the US secret services (who are responsible for credit card fraud in the US) to let them know what we'd seen and ask if they'd seen anything similar. At the time, they hadn't.

"Over the following weekend we saw attempted transactions on four of our customer's cards that our fraud system automatically blocked. Of those four cards, two had previously been used at Ticketmaster. The next week, we saw four more compromised cards. All four had been used at Ticketmaster."

Interestingly, perhaps, one of the key pieces of information identifying Ticketmaster as the source of the spillage was an incorrectly typed expiry date, causing the rejection of a transaction with Ticketmaster. The same (incorrect) details were then used just days later in a subsequent attempted fraudulent transaction.

As a good corporate citizen, Monzo contacted Ticketmaster and were given short shrift. "They told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns," writes Vernier.

If CISOs take just one lesson away from the Ticketmaster breach it is this: if a bank rings you up to warn you that your organisation's IT infrastructure is leaking customer credit card details, then you should take it very seriously indeed.

Sundry other organisations also targeted by Magecart that didn't make this list: Faber& Faber, Faber Academy, Countrywide Healthcare, furniture retailer Aria, Oppo Suits, VisionDirect, Kitronik, Umbro Brazil, Adminer, Jungle Lee, Forshaw, Absolute New York, Safe Harbor Computers, GetRXd, Cajun Grocer, Everlast Worldwide, GUESS Australia, Rebecca Minkoff (fashion, apparently), Chef Central, Mothercare Indonesia, Savannah Collections, UK Bathroom Store, Graham and Green, Brook Taverner… In total, Sanguine Security forensic security analyst Willem de Groot believes that as many as 6,000 organisations may have been compromised by Magecart.