Magecart is back: Don't let digital skimmers ruin your COVID recovery plans
We’ve spent a lot of time over the past few months talking about COVID-19. There’s no denying its impact on corporate cybersecurity, both in providing an opportunity for phishing lures and exposing distracted, under-protected home workers. But as countries ease lockdowns and non-essential businesses are tentatively allowed to re-open, thoughts turn to driving that much-needed “v-shaped” recovery. A big part of this will come down to online sales.
However, as events from recent days have shown, digital skimming gangs are primed and ready to take advantage. In response, it’s not enough to simply focus on your web servers — IT leaders also need to tackle cloud misconfiguration to reduce the attack surface.
On the hunt
New Magecart attacks are emerging all the time — there are said to be 12 or more groups operating today — but seem to have ramped up during the pandemic when more shoppers migrated to online channels. One report revealed a 20% increase in detected threats amid the crisis and the discovery of a new skimmer dubbed “MakeFrame”.
Over the past week the attacks have continued, with two of the world’s biggest retail chains hit. US-headquartered accessories specialist Claire’s and sister site Icing had skimming code placed on their payment pages. Data was stolen and sent to a malicious domain registered a month earlier. Also impacted was sporting retail giant Intersport, where malware was loaded onto its e-commerce stores in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina. Interestingly, the firm cleaned its web code of Magecart only to have it reappear 11 days later.
Danger in the cloud
At first glance, this would seem like a job for your web security team. However, it is more complicated than that. Another potential avenue for exploitation is via misconfigured cloud security platforms. For years researchers have been warning that companies are leaving cloud databases wide open without a password because they’ve misunderstood the service provider’s policies. It’s a problem that’s arguably becoming more acute today as companies invest in multi-clouds from different vendors — increasing the complexity of managing these systems securely with limited in-house resources.
Unfortunately, opportunistic cyber-criminals are now actively probing for exposed systems. A new piece of research out last week set up an exposed Elasticsearch instance as a “honeypot” to see how quickly it would be attacked. In the end, it took just eight hours for the first unauthorized request to come through. Over the duration of the research, the instance was attacked 18 times per day.
Time to clean-up
You don’t have to look far to see the potential impact of a serious Magecart attack. Last year the UK’s Information Commissioner’s Office (ICO) issued a notice of intent to fine BA over £183 million for GDPR non-compliance. A major Magecart breach of the firm’s website in 2018 led to the theft of personal and financial data on 500,000 customers.
Yet despite its often big-name victims, Magecart more commonly affects smaller online firms with fewer resources to spend on cybersecurity. Often the code is left up for days before it is noticed, resulting in a potentially serious financial impact via chargeback fees. That’s not to mention the brand damage and possible non-compliance fines.
Here are a few best practice tips for mitigating the threat:
- On the web security side, implementing Content Security Policy (CSP) and Subresource Integrity (SRI) can help
- Install patches from your e-commerce/payments platform provider as soon as they are
- Keep AV on and up-to-date at all times
- Maintain PCI DSS compliance
- Regularly test incident response plans
- Invest in Cloud Security Posture Management (CSPM) to spot and remediate any configuration errors
At a time when the global economy needs all the help it can get, cyber-resilience becomes an essential pre-requisite for a rapid recovery from the current crisis.