Magecart: Why evil wizards are your number 1 ecommerce problem

Even though the evil wizards of Magecart are strong, devious and able to exploit even the most-secure platforms, with the right tools ecommerce firms can see them coming

Magecart is the number one security issue facing every ecommerce platform. How does this dangerous wizard steal your customer data? What can you do to prevent this crime and ensuing reputational catastrophe?

Old Adversary, New Threat

Ecommerce is booming, it’s fast-moving and exciting. However, someone is trying to steal from you – but they aren’t taking your products. They are pickpocketing your customer’s data, directly from their machines and in the process damaging your reputation, sometimes irreparably.

Data breaches are not a new phenomenon; the frequency and size of attacks have increased dramatically since Magecart first appeared in 2015. Even worse, you now have to publicly report them to the ICO. Damage limitation has never been so important.

From 2015 to 2016 there was a 40 percent increase in attacks. 2017 saw a 35 percent increase and 2018 saw the biggest breach so far that cost British Airways £183 million in fines and immeasurable cost to its reputation.

Formjacking accounted for 71 percent of all web-related data breaches in 2018. These attacks are very often not detectable by traditional security measures – yet you are still responsible and your brand is at risk. Something needs to be done.

Casting the Data Breach Spell

Magecart wants your customer’s data. The more data it can gather about a customer, the higher the price it can sell it for in their criminal networks.

Attacks are well hidden, occur multiple times and, in some cases, the site is compromised for only a few hours, restored and then attacked again and again over a few weeks with no means of detecting this until it’s too late.

When Magecart steals customer data there is a huge cost to any organisation. In addition to the brand damage, the business risks losing customers and facing demands for payment in fines from the ICO.

The estimated average cost of a major data breach is now over $4 million. Under GDPR rules, businesses can also be fined up to €20 million or 4 percent of annual turnover. That is a $400,000 fine for a $10m revenue business. Can you afford to get this wrong?

Magecart attacks have occurred on numerous ecommerce sites including Ticketmaster, PrismWeb, Leicester City and many more. The recorded average time taken to detect a Magecart attack is currently 12 days with thousands affected. In truth, this is a very conservative estimate, in the 16 days that British Airways was breached, almost half a million people were compromised.

Detecting Attacks, Defending your Position

Whether an attacker is hacking a third party in the website supply chain, formjacking or using some other technique for skimming data, there is one common theme – the data must be sent somewhere.

RapidSpike specialises in monitoring client-side digital experience interactions. So it set about trying to detect when data was being sent – and where to.

During early research, one of its developers identified a significant security vulnerability. The One Planet York app was sending the personal details of its users, to other users of the app, whenever any user opened its leaderboard.

This isn’t what data breach monitoring is about, but a key lesson all the same. City of York Council left the door wide open, and luckily, we immediately informed the council of the vulnerability. However, a lot of reputational damage had occurred due to their handling of the issue.

We do sympathise – dealing with data breaches is complex. The trick is finding the issue quickly, and having robust security measures. It’s about understanding the risks you are taking with people’s data, and about your internal processes and damage control. You need to get this right.

Studying Offence to Build Defence

During the testing period, news broke that Vision Direct was the next Magecart victim. They lost 6,600 customers’ financial details in the 6 days before the attack was detected.

We once again observed the attack used several different methods – whether it was embedding code in internal JavaScript or using Google tag manager to insert a new skimmer, the same commonality existed – they had to send the data somewhere.

After analysing the code contained in the vision direct attack file, we were able to create a fake payment form that was susceptible to the same skimming attack. We recreated the live environment where it happened, filled out our fake payment form and all the data on that form was sent to the attackers.

Around 5 minutes later we received an alert from our Data Breach Monitor: data was being sent to an untrusted host, and we can see everything. Success!

Exploiting Weaknesses

If you are using third-party extensions for marketing, analytics, reviews, comments, etc., you have little control over their security. Supply chain attacks are incredibly hard to prevent and the more third-party suppliers an ecommerce site has, the greater the risk of it being attacked.

Ecommerce data breaches are targeted, sophisticated and becoming more frequent and sustained. The criminals responsible for these attacks are adept and coordinated masters of deception who can swiftly target any vulnerabilities, across multiple platforms in multiple languages.

All that responsible business owners can do is to take measures to try and contain the problem. The good news is that, although the attackers are very clever and extremely stealthy, they leave clear indicators behind. The leading cyber security platforms can intervene to protect customers’ information before catastrophic financial and reputational injuries are sustained. This means that while the evil wizards of Magecart out there are strong, devious and able to exploit even the strongest, most secure platforms, with the right tools ecommerce firms can see them coming.