Reviewing our 2019 AppSec predictions: Supply chain attacks

Print Friendly, PDF & Email

At the start of the year, I made three predictions on attacks vectors that would become big problems over the year and beyond. This is the look at where the three are, now, at the end of the year. Let’s now look at #3 – Supply chain attacks.

Prediction:
Magecart is the most popular version of the third trend – Supply Chain Attacks. Over the years, most applications have used third-party libraries and scripts as part of the software supply chain. Attacks against these third parties used to happen from time to time, but in 2018 they’ve become an alarming new trend. … The scale of the attacks has been massive, and the attackers have taken special precautions to ensure to hide the compromise indicators from researchers and scanning tools.

Ticketmaster, British Airways, NewEgg, The Atlanta Hawks, Forbes magazine, Smith & Wesson, Rooster Teeth, Macy's, Sweaty Betty, and over 2 million others.

2018 made the Magecart group ad their methods famous (active since around 2016), and as 2019 has passed, we’ve seen them grow very rapidly. Their attacks have been so successful that multiple similar groups are suspected of being active, successfully stealing payment information.

In the case of British Airways, the Magecart hack cost the airline $229 million in GDPR fines. The attack occurred by injecting a malicious version of the Modernizer JS script. This malicious script basically collected information from the payment screen and sent all the stolen data to a C2 server. This attack claimed about 38000 victims.

In the case of Macy’s one of the most recent and massive attacks, another JS script was tampered with. Customer payment data has been stolen in this case as well. In this case, however, the attack group spent significant effort on the actual skimmer. Per RiskIQ the attack group has spent much more time on building and integrating the script into the checkout flow than seen before. Aside from stolen credit cards, the skimmer also stole credentials during the new customer registration flow.

Magecart and similar attack groups have been learning and upgrading their tools quite rapidly. British Airways was one of the first large-scale attacks, and they have only been evolving continually till Macy’s now. Each time they are detected, there are new upgrades to the offensive and defensive capabilities of the scripts. The scripts themselves attempt to detect when the site is being scanned, to avoid being discovered. The newly added credential-stealing bit, along with increased integration points to groups making specifically targeted attempts, versus the earlier “exploit all the payment pages” method.

Defenses against these attacks need to be put into place to protect the integrity of the third-party scripts and libraries being used and to prevent compromised scripts from being loaded.

 

Barracuda Web Application Firewall (WAF) protects your web, mobile and API applications from being compromised, and prevents data breaches— ensuring you maintain your reputation and your customer's confidence. Get started with a free trial here.

Scroll to top
Tweet
Share
Share