Magecart Evolves Again: A New Case Study
Our newest case study takes a detailed look at how Magecart web-skimming attackers once again pivoted to a new tactic during the Spring of 2023. The Magento open-source e-commerce platform (now known as Adobe Commerce) has been a popular target for a long time, but despite security keeping pace with new methods of attack, criminal groups keep coming up with more sophisticated ways of exploiting vulnerabilities. It’s like a never-ending game of leapfrog where it doesn’t matter to the attackers if they keep losing because they only have to win once to get their payday.
A Little History
Since then, Magecart attackers have tried many different ways of tweaking the basic concept. In 2019 they launched an exploit that compromised various third-party website tools, one of those being the Picreel premium conversion optimization plugin. Once their code was embedded in the tool it harvested shoppers’ payment details on thousands of websites. Google Tag Manager has been used in this way too.
Why is Magento Still a Target?
Magento attracts attackers because it’s still one of the top 10 e-commerce website platforms. It has built-in PHP, so it gives developers the tools they need to build successful shopping websites. It powers more than 270,000 merchants’ online businesses, or 1.2% of all websites on the internet, and processes $155 billion worth of transactions every year. Since being acquired by Adobe, its use looks set to rise, and with increased popularity, particularly in the enterprise sector, it seems likely that Magecart attacks will increase.
An Equal Opportunities Criminal Venture
Magecart criminals are not choosy about who they hit. Ticket sellers, restaurants, airlines, and many other businesses of all shapes and sizes across various sectors have been blindsided by these stealthy attacks. So, if you thought that your company might be too small to be noticed, think again. If you have a checkout page, you have a problem!
This latest spate of attacks offers proof that the Magecart cybercrime syndicate with its unknown number of subgroups is as active as ever, and if it wasn’t such a deeply harmful thing that they do you could almost admire their ingenuity in evolving to stay effective.
The new case study goes into the details, but to give you an overview, eight years after that first big attack, with this latest method they used fake Shopify stores to try and capture payment details from thousands of victims. The attackers added the stores to the Shopify content delivery network (CDN). If you weren’t aware, a CDN is a worldwide server network that handles content distribution for a global site at the local level. When a customer visits a Shopify store in southern Australia, for example, the CDN routes the request via the server that’s physically nearest to them, so the store’s files and images arrive faster, without the lag that would come with using a server on the other side of the world.
The cybercriminals found a way to upload their own code to the CDN, and this allowed them to overlay fake checkout forms over the real ones to steal the shoppers’ credentials and card numbers. The fact that Shopify uses the Cloudflare CDN meant that unsuspecting victims would see two well-known brand names that they trusted.
Luckily, Reflectiz uncovered the problematic domains and scripts before they could do any harm and issued critical alerts. One of the reasons why ordinary security solutions don’t catch these kinds of web skimming attacks is that the code is rendered in the client’s browser, so it sits outside of a company’s servers and firewalls.
Another thing to bear in mind is that typical security tools and policies weren’t designed for dynamic environments like online shopping carts. One of the benefits of Reflectiz is that it is. Our continuous monitoring platform uses a proprietary browser that interrogates every piece of code in operation on the site, logging whose it is, what it’s doing, and where it’s sending data. If it identifies any behaviors that are out of the ordinary, it flags them up promptly. On this occasion, the platform detected code that other solutions might have missed and alerted site owners so they could respond promptly.
Reflectiz continuously monitors site activity for web threats without the need to place any code on clients’ websites. Because it works remotely, the effect on site performance of using it is minimal—the equivalent of just a single user visiting. It also means that it can’t be tricked by first, third, and even fourth-party components that have been repurposed to steal financial login credentials, as well as a host of other exploits.
That’s the overview of what Reflectiz did, but to get more insight into the mechanics of how the breach was intended to work and how the platform detected it, you’ll need to read the full text of the new case study. It’s revealing to see how Magecart attackers work and reassuring to see how Reflectiz delivered such an effective response. With Magento looking set to rise in popularity over the next few years, it’s becoming more important than ever for online retailers to keep their stores safe in the face of ever more sophisticated attacks.