Magecart Strikes Again: Highly Organized Web Skimming Attacks Are Here to Stay
As 311 US restaurants are targeted by a new wave of Magecart attacks – Reflectiz asks, who will be impacted next, and how can online businesses protect themselves?
Two new Magecart campaigns uncovered this month by security intelligence company, Recorded Future. The attacks took place via e-skimming software that was injected via three online ordering platforms, MenuDrive, Harbortouch, and InTouchPOS. As a result, 311 restaurant websites were attacked, and data from 50,000 payment cards has been found on the Dark Web, with the likelihood that many more will have been exposed.
Who Has Been Impacted by this New Wave of Attacks?
These two new Magecart campaigns are a targeted hit on the restaurant industry, and just another example of how attackers can use connected third-party applications to wreak havoc and steal vast amounts of sensitive data. By targeting just one platform, and finding just a single vulnerability, attackers can reach dozens of restaurants with one malicious script.
In this case, by targeting third-party platform providers used in the Restaurant industry, Magecart attackers have shown how they can steal data from a greater number of users, as they managed to gain access to the whole partner database of restaurants who rely on these platforms to take payment information on their websites.
For example, in the first campaign, 80 of the impacted restaurants host their online ordering platform on MenuDrive domains, and 74 use Harbortouch. Recorded Future commented in its report that scripts from the malicious e-skimmer are still present on a portion of the partner websites, although the malicious domain has been blocked since May 26th 2022.
The second campaign utilized InTouchPOS, a point of sale solution, 157 restaurants have been impacted by this web skimming attack since November 2021, and some of these restaurants are still suffering from infected scripts on their websites, and worst of all – are hosted on malicious domains which are still active today.
How Does Web Skimming Work?
Magecart is not the name of a specific group, but rather many subgroups who all use this kind of attack to target online businesses, from eCommerce, to travel, hospitality, finance, healthcare, and now – restaurants, too.
Of course, web skimming attacks are nothing new. They have been a common threat since 2018, when a Magecart attack hit British Airways in a very high profile campaign that cost the company more than $1B to recover from.
There are two main kinds of web skimming attacks to be aware of. The first is a direct attack where the code is injected directly into your website. These are the more complex kind of attack for hackers to execute, and will need to be exploited alongside zero-day vulnerabilities or brute force attacks to be successful.
The second kind is what we see here with the campaigns against the restaurant industry – software supply chain attacks. Businesses today use a greater number of third-party applications than ever before, and while they are essential for functionality, (how could a small restaurant afford to create its own online ordering platform for example? Companies like MenuDrive allow them to stay in business!) they are not without their risks.
As a result of these two kinds of web skimming attack, there is no business that can consider themselves to be safe from this threat, from the smallest online business to the largest digitally-enabled company.
The dependencies that third parties create need to be managed and monitored, otherwise – malware can be injected into a trusted third party host, and all websites that use this web application will pay the price. When customers load the payment page, they load the third-party scripts, and alongside the script – the malicious code injection, and your business is none the wiser. After all, how could you be expected to know what’s happening on a third-party server? The code doesn’t originate from your environment, so it’s totally out of your control.
Don’t my current security tools solve this threat?
While anti-malware or antivirus solutions can pick up on some kinds of malware injection, or they might mitigate a zero-day vulnerability or a brute force attack which are necessary for the first kind of attack, the second is much more complex to avoid. After all, the malicious code is baked into the original web app, and the action is happening on the client side, not on the server side where your tools have visibility and control.
Some government recommendations suggest using a CSP or a WAF to help mitigate the threat, but we’ve discussed in the past their limitations for these kinds of attacks. They are a good first line of defense, but you can’t rely on them as a holistic solution that eliminates the threat altogether.
Instead, today’s online businesses need a full and accurate view of all third party applications, with a dedicated platform that is built for exactly this risk. You need to be able to continuously view:
- Which third and fourth parties have access to your website environment
- What data they can access
- Where they send this data when they receive it
In addition, an intelligent digital risk platform will be able to send smart alerts and notifications for when any third party is acting differently from its baseline behavior, so that you can quickly mitigate any threats before user data is even in the picture.
The web skimming attacks against the restaurant industry should be a wake up call for all online businesses of all sizes today. None of today’s organizations are an island, we all have supply chain partners who could be opening our customers up to risk. While restaurants were the target this time, they are not the first industry to be impacted, and they certainly won’t be the last.