Three days ago Dutch developer Willem De Groot announced that 5,900 online stores were infected with malware. The malware is skimming credit card details from shoppers due to unpatched software flaws. Now RiskIQ has published details of another attack it is calling Magecart.
Stealing customer data from online stores is nothing new. It has been going on since the dotcom explosion led everyone to think they desperately needed an online store. The vast majority of stores are owned by small businesses. They use third-party developers to write or integrate often free shopping carts in order to make money. What they don’t do is ensure that software is constantly updated or keep on top of security alerts. This makes life easier for the hackers.
What is Magecart?
The Magecart code hooks into web forms which allows it to access data as it is input by users. RiskIQ says that it has even seen additional fields inserted into web forms to allow attackers to gather additional data. This is likely to be data required to further authenticate the user enabling anyone buying the details to quickly monetise them.
The attackers are using HTTPS to exfiltrate stolen data. This means that the data is sent over an encrypted channel that the web store owner will not be able to see. While there are ways to see what is being sent it is expensive and requires skills many small retailers lack. The stolen data is hosted on remote attacker-operated sites that also use HTTPS. Keeping the stolen data hidden inside encrypted network traffic is becoming increasingly common and helps to hide what is happening from network teams.
A sophisticated operation
The professionalism around cyberattacks is increasing. The team behind Magecart are using the same approach to their malware as software teams use to build in-house and commercial tools. RiskIQ says that it has identified the developers of Magecart are using:
- Testing and capabilities development
- Increased scope of targeting payment platforms
- Development and testing of enhancements
- Addition of obfuscation to hinder analysis and identification
- Attempts to hide behind brands of commonplace web technologies to blend in on compromised sites
Not just an attack on small sites
In De Groot’s analysis he points out that sites affected by the skimming software include some very large names. Interestingly, the link to those names from his blog no longer works. This is likely to be due to pressure from some of those named to remove their details.
In the RiskIQ analysis they name a number of sites that were infected. They provide a walkthrough of what was happening with Magecart on those sites and which eCommerce platform they were using. The list includes:
- UK publishing house Faber and Faber (Magento Commerce)
- Clothing and fitness company Everlast Worldwide Inc
- Fashion house GUESS Australia (Powerfront CMS)
- Fashion brand Rebecca Minkoff (Magento)
Information for security teams
As with all RiskIQ releases around threats, there is a long list of data that can be used to see if a company has been infected. It lists attacker domains, IP addresses and sample URLs. It takes very little effort to import this threat data and run it against security logs. This is something that security teams both in-house and even at hosting companies should do immediately.
There is also list of 119 affected web stores in the that is worth reading through. Anyone who has visited these sites should check their credit card details and talk to their bank immediately. They should also change all their security information especially passwords, questions and answers as soon as possible.
The disruption of retailing by online stores has been good for consumers. However, the revelations of De Groot and RiskIQ show that it comes at a price. Organisations must pay strict attention to the security of their web stores or risk losing customer data. With regulators in different countries tightening up the law on lost data, it won’t be long before fines against some retailers see them go out of business.
There is also a need for hosting companies to do more. They are in a better position to use the threat intelligence data published by the likes of RiskIQ and scan their logs. This enables them to help customers who may have become infected.