When Magecart steals customer data there is a huge cost to any organisation. In addition to the brand damage, the business risks losing customers and facing demands for payment in fines from the ICO.
The estimated average cost of a major data breach is now over $4 million. Under GDPR rules, businesses can also be fined up to €20 million or 4 percent of annual turnover. That is a $400,000 fine for a $10m revenue business. Can you afford to get this wrong?
Magecart attacks have occurred on numerous ecommerce sites including Ticketmaster, PrismWeb, Leicester City and many more. The recorded average time taken to detect a Magecart attack is currently 12 days with thousands affected. In truth, this is a very conservative estimate, in the 16 days that British Airways was breached, almost half a million people were compromised.
Detecting Attacks, Defending your Position
Whether an attacker is hacking a third party in the website supply chain, formjacking or using some other technique for skimming data, there is one common theme – the data must be sent somewhere.
RapidSpike specialises in monitoring client-side digital experience interactions. So it set about trying to detect when data was being sent – and where to.
During early research, one of its developers identified a significant security vulnerability. The One Planet York app was sending the personal details of its users, to other users of the app, whenever any user opened its leaderboard.
This isn’t what data breach monitoring is about, but a key lesson all the same. City of York Council left the door wide open, and luckily, we immediately informed the council of the vulnerability. However, a lot of reputational damage had occurred due to their handling of the issue.
We do sympathise – dealing with data breaches is complex. The trick is finding the issue quickly, and having robust security measures. It’s about understanding the risks you are taking with people’s data, and about your internal processes and damage control. You need to get this right.
Studying Offence to Build Defence
During the testing period, news broke that Vision Direct was the next Magecart victim. They lost 6,600 customers’ financial details in the 6 days before the attack was detected.
We once again observed the attack used several different methods – whether it was embedding code in internal JavaScript or using Google tag manager to insert a new skimmer, the same commonality existed – they had to send the data somewhere.
After analysing the code contained in the vision direct attack file, we were able to create a fake payment form that was susceptible to the same skimming attack. We recreated the live environment where it happened, filled out our fake payment form and all the data on that form was sent to the attackers.
Around 5 minutes later we received an alert from our Data Breach Monitor: data was being sent to an untrusted host, and we can see everything. Success!
Exploiting Weaknesses
If you are using third-party extensions for marketing, analytics, reviews, comments, etc., you have little control over their security. Supply chain attacks are incredibly hard to prevent and the more third-party suppliers an ecommerce site has, the greater the risk of it being attacked.
Ecommerce data breaches are targeted, sophisticated and becoming more frequent and sustained. The criminals responsible for these attacks are adept and coordinated masters of deception who can swiftly target any vulnerabilities, across multiple platforms in multiple languages.
All that responsible business owners can do is to take measures to try and contain the problem. The good news is that, although the attackers are very clever and extremely stealthy, they leave clear indicators behind. The leading cyber security platforms can intervene to protect customers’ information before catastrophic financial and reputational injuries are sustained. This means that while the evil wizards of Magecart out there are strong, devious and able to exploit even the strongest, most secure platforms, with the right tools ecommerce firms can see them coming.