Unmasking the Latest Magecart Attacks: Interview with Ysrael Gurt

Mr. Ysrael Gurt is a well-known ethical hacker with extensive experience in product development and complex problem-solving. Ysrael was ranked number 22 in Google’s Hall of Fame and his “résumé” includes revealing attacks on Facebook, Microsoft and more. In 2018 Ysrael was included in Forbes’ “30 under 30” for his unique hacking abilities and cybersecurity skills. Currently, Ysrael is the CTO and co-founder of Reflectiz, a cyber-security company that provides a next-generation security solution for websites against third-party risks.

This exclusive interview explores Reflectiz’s findings and response to a series of advanced Magecart attacks that have targeted e-commerce websites worldwide. These attacks have raised significant concerns about the security of these platforms, and the interview reveals valuable insights into the evolving strategies employed by Magecart threat actors.

Q: We’re eager to learn more about the latest Magecart attacks, specifically those utilizing fake shops on the Shopify platform as an infrastructure. Can you shed some light on this concerning trend?

Yes, we have recently observed an increase in Magecart attacks that exploit fake shops hosted on Shopify. These attacks highlight the ever-evolving strategies employed by cybercriminals to compromise e-commerce platforms and steal sensitive customer information.

Q: Can you explain what a Magecart attack is and how it operates?

Certainly. Magecart attacks are a type of digital skimming attack where cybercriminals inject malicious code into legitimate websites’ payment forms to steal customers’ payment card data. The injected code captures sensitive information, such as credit card details, which are then sent to the attacker’s infrastructure for exploitation. Then later selling this stolen data to the highest bidder on the darknet.

Q: How do attackers utilize fake shops on Shopify in these attacks?

It is quite simple. Attackers set up fake online shops on Shopify. They design these shops to closely resemble legitimate online stores, often copying their branding and layout. The attackers then inject malicious code into the fake shops, typically targeting the payment processing flow. Unsuspecting customers who make purchases on these fake shops unknowingly provide their payment card information, which is harvested by the attackers.

It is possible to upload various file types to cdn.shopify.com, including HTML files, despite it not being officially allowed. The Shopify file check is only performed on the client side, easily bypassed by any HTTP proxy such as Burp suite. We were able to upload HTML files with no limitations to cdn.shopify.com. Of course, It’s not limited only to HTML, you are also allowed to upload JavaScript, which can potentially be used as a downloader server for malicious JavaScript under Shopify domain. We know for a fact that hackers are already using Shopify as their downloader and C&C server as during the research, we found Magecart attacking a network, operating from Shopify CDN servers.

Q: That sounds alarming. What measures can shop owners and Shopify itself take to protect against such attacks?

Awareness and vigilance are key in combating Magecart attacks. Online shop owners can implement various measures to protect against Magecart attacks. First and foremost, it’s crucial to prioritize security awareness and education among online shop owners and their employees. They should be familiar with the latest attack techniques, such as Magecart, and understand how to identify suspicious activities.

In terms of technical measures, shop owners can implement secure coding practices and regularly update their website’s software and plugins to mitigate known vulnerabilities. They should also enforce strong authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to their administrative accounts.

As for Shopify, they must continue to enhance their security measures. This includes implementing strict vetting processes for new shop registrations, employing automated code scanning to detect malicious injections, and actively monitoring and responding to reports of fraudulent activity. Regular security audits and vulnerability assessments are crucial to identify and address potential weaknesses.

Q: Are there any specific technical indicators or warning signs that shop owners can look out for?

Yes, there are specific indicator to detect potential Magecart attacks. These include unexpected behavior during the payment process, such as additional prompts or multiple credit card entries. Another indicator is Inconsistent design of payment forms compared to the rest of the website, or missing security indicators like HTTPS in the URL. Of course, store owners should be monitoring network traffic for unusual outgoing connections, conducting regular website scanning and vulnerability assessments.

While these indicators can be helpful, it’s important to stay updated on evolving attack techniques and consider implementing comprehensive web security solutions like Reflectiz for proactive protection against Magecart attacks.

Q: Can you elaborate on the user journey scenario that was observed during these Magecart attacks?

Certainly. The attacks followed a three-step execution process. First, the attackers injected malicious JavaScript code into the web servers to gain access to the checkout page code. Then, the injected code performed various checks to ensure it ran specifically on the checkout pages. Finally, once the code identified the user’s details on the checkout form, it transferred the data to a remote malicious domain.

The attackers cleverly concealed their activity by generating new input elements on the checkout page, effectively hiding the genuine input fields. These genuine fields were contained within iFrames. By bypassing these iFrames, the attackers overlaid their own fake inputs, leading unsuspecting users to fill out the counterfeit form. They then encountered an error message while their credit card information was transmitted to the attackers. Users would then fill out the form again using the legitimate input fields, completing their purchase without realizing that the compromise had occurred.

Q: How did Reflectiz manage to detect and expose the sophisticated techniques employed by the attackers?

Despite the sophisticated techniques used by the attackers to hide their malicious activity, the Reflectiz platform discovered the attacks automatically right away and issued critical alerts to solve the matter. Our investigation successfully uncovered their methods. For instance, the attackers exploited known brand names of CDNs, such as Shopify and CloudFlare, to gain trust. They cleverly used subdomains of these CDNs to trick website security systems and users into believing they were legitimate domains.

Additionally, the attackers utilized encryption and obfuscation techniques to evade detection. They encrypted URLs and employed seemingly legitimate favicon files that were only served when a specific referrer header was set. These techniques aimed to bypass static analysis tools and deceive standard security controls.

Through our unique proprietary browser and continuous monitoring, Reflectiz was able to overcome these obstacles and promptly identify the final malicious domain, even without extensive deobfuscation.

Q: Looking ahead, what do you anticipate for the future of Magecart attacks?

Unfortunately, Magecart attacks are likely to continue evolving and adapting to exploit new vulnerabilities. As the holiday season is nearing, Magecart attacks will most likely culminate. We can expect attackers to target other e-commerce platforms and find innovative ways to bypass security measures. As a result, it is crucial for both users and platform providers to remain vigilant, invest in robust security solutions, and stay up to date with the latest security practices.

Conclusion

Given the severity of the threat from Magecart and the constantly evolving nature of online attack methods, this seems like the best advice not just for e-commerce store owners but for anyone who has a web presence. And when Mr. Gurt urges users to adopt robust security solutions, the Reflectiz platform has to be the foremost contender for consideration. Its effectiveness is reflected both in its track record and its popularity among enterprise users, and with so much at stake, website owners should at least consider trialling this simple yet powerful solution. Download the full Reflectiz case study about the latest Magecart attacks here.