Summary: Hackers are using increasingly sophisticated techniques to hide malicious code on e-commerce websites with the goal of stealing payment card details. Known as web skimmers, these malicious scripts have led to major breaches at online retailers over the past year and will very likely continue to cause problems for some time to come.
Our Threat Intelligence team has discovered MageCart injected and encoded into the Forbes subscription website.
It has been responsible for recent card breaches on websites belonging to high-profile companies like British Airways, TicketMaster, Newegg, Feedify, Shopper Approved, as well as sites belonging to numerous smaller online merchants.
Tactics, techniques and procedures: The Threat Actor is known for using stealthy techniques to make code injections hard to detect, sometimes even compromising various third-party services providers who already have their legitimate code loaded into websites.
The attackers inject skimming scripts through back doors. The skimming code run for a period of time before being discovered and removed.
Conclusions: Hacking into e-commerce websites and stealing credit card details from databases goes back 15 years or more. However, as the security of both physical and online transactions increased over time, the attacks have shifted to the point of entry rather than stored records.
This attack also follows the current trend of using trusted 3rd parties to compromise organisations rather than by attacking them directly.
The treat actor behind MageCart represent a significant imminent threat for online retailers of all sizes.
Advice: Invinsec strongly recommends that all online retailers scrutinise all third-party scripts used on websites, whether for advertising, visitor analytics or other purposes. There are several techniques available to achieve this such as integrity checking script content and using change control to adopt modified versions, or hosting scripts directly rather than referring to 3rd parties.
Invinsec also recommends that only absolutely essential 3rd party code is called on payment pages.