Having a Content Security Policy: Is that Enough for Online Businesses to Combat Magecart?
Article updated on May 2022
Companies, mostly eCommerce sites, are actively looking for a way to handle the emerging threat of Magecart groups. Content security policy, which is not a costly solution, has become an integral part of many security-toolboxes. But is there a lack of sync between security and what actually protects your environment from web skimming?
Understanding the Third-Party App Challenge
Without dozens of third-party applications that enhance everything from user engagement, site performance and analytics, today’s eCommerce websites simply couldn’t run smoothly. However, as these applications are loaded externally by third-party vendors, they can offer unexpected entry points for savvy attackers, many of which are not protected by traditional security controls. For example, a Web Application Firewall or an Intrusion Prevention System would not see or moderate the behavior of a third-party application, as it’s acting on the client-side.
However, if your visitors click on a malicious widget, link or form on your website, or enter their sensitive data unawares, this can be the start of a data breach or a supply chain attack, or the end of your clean as a whistle compliance posture.
One famous example of this kind of attack is done by several hacking groups, collectively known as Magecart attacks. They specialize in gaining unauthorized access to business websites through third-party applications, the execution of malicious content into checkout pages, and then stealing data from unsuspecting customers, who believe their data is only being viewed and managed by your company.
These attacks are getting more sophisticated all the time. In September 2020, over 10,000 online shoppers were attacked by a Magento exploit when 2,000 eCommerce websites were targeted with a payment-card skimmer. More recently in February 2022, by abusing a single vulnerability in a QuickView plugin, more than 500 eCommerce sites were impacted by a Magecart web skimming attack, with 350 stores attacked in a single day.
What is Content Security Policy? (CSP)
Content Security Policy (CSP) is a computer security standard introduced in 2004. The aim of the standard was to combat malicious activity such as cross-site scripting (XSS), clickjacking, and other similar kinds of attack, especially where client-side code injections are used to put browsers at risk when browsing on the web.
Putting CSP into action requires your security team to add a Content-Security-Policy HTTP response header into the webpage and then to assign rules to fully control the resources end-users can load and the destinations that they can visit. As the elements that you can create policies for using the content security policy header can be scripts, pictures, videos, forms and more, it makes it a lot harder to pull off Magecart attacks. The idea is that you configure specific directives into this content security policy not to load external resource scripts, and then when the attacker attempts to load a malicious script to your site – this action is blocked.
But here’s the multi-million dollar question… does it work?
Did You Know? The May 2020 Paramo Magecart attack lasted for 8 months with over 3700 people’s credit card details stolen
Why is CSP Not Enough?
Before we dive into any limitations, it’s important to recognize that a content security policy is a great thing to have! It’s recommended by upcoming PCI-DSS regulations for v4, and it’s not going to do any harm to have a content security policy report giving you information about your environment. A CSP will certainly make the attackers work harder to breach your environment, so go for it!
However, I’m going to suggest that it’s a limited solution that will only provide partial protection against web skimming attacks, and here’s why.
The techniques to enforce CSP delivery include using a blacklist/whitelist approach. You will need to whitelist trusted domains and applications, rather than drill down into the actions that each third-party is taking inside your environment. What does this mean in practice?
- As the site owner, you will approve trusted third-party vendors, despite the fact that attackers can gain unauthorized access to those vendors in a supply-chain attack event and will be given an open door to your environment. While they might find it harder to extract the data, this is still a huge risk.
- Many of the most famous Magecart attacks used internal unsecured servers and scripts, and injected malicious code from inside the business itself. You can’t manage all of your local scripts using CSP. In short, the call might be coming from inside the house, and CSP will probably be configured to approve it.
- A common global service can be used to launch the attacks. In this case, the Google Analytics API was leveraged to hack into eCommerce websites. By mimicking Google analytics scripts, attackers were whitelisted and able to steal sensitive data from users. Since there are many whitelisted services out there, the attacker can try to use them to his advantage.
Did You Know? As per a recent Google research, around 25% of XSS bugs can be exploited even with a strict CSP in place
The other problem with CSP is that it’s a high maintenance solution which will use a lot of resources and require many techniques to enforce CSP delivery that truly works for your environment.
You need to define a whitelist and a blacklist policy for each domain and the scripts that it uses. You’re likely to have dozens of third-party vendors and hundreds of scripts and services running on your website. Suddenly, it’s a full time job just to keep the CSP up to date. Not only that, but every time a script changes, this will be blocked at the production stage, impacting business continuity when most of the time there will be zero cause for concern.
Adding Reflectiz to the Conversation
CSP is still a powerful weapon, but it’s not exactly a Magecart vaccine. Ideally, you need to combine this approach with other security measures. This is where Reflectiz comes in, a plug and play solution for the risks of third-party applications, including web skimming. You’ll get:
- Enhanced Visibility: Manage all your third-party and open-source inventory via one centralized dashboard. Be sure about what software you are allowing into your ecosystem, even when stakeholders are working from remote locations.
- Monitoring and Tracking Capabilities: Learn about the behavior of all the external applications you use. This includes their client interactions, data collection and even suspicious uncommon activities.
- Actionable Insights: Enhance transparency to gain real-time information and respond accordingly. Monitor everything on the go and get smart learning alerts, in context with business requirements.
- Advanced Reporting: Reduce cross-department friction within your company, with in-depth reporting that supports collaboration, visibility, and information sharing. No more slowdowns.