In May of 2019, the Magecart group attacked again. Like previous events, the group used third-party tools to attack thousands of websites simultaneously. One of the compromised tools was Picreel, a premier Conversion Rate Optimization tool. This incident highlights a risk many websites face today: third and fourth-party hacks lead to huge data compromises that trigger very quickly across thousands of websites simultaneously – and put their customers at risk of identity, credit card, and credentials theft.
The malicious code was delivered to thousands of websites worldwide, including Picreel. The delivery vector was a third-party code referenced at runtime. As a result, customer data such as credit card and billing information may have been collected by the attackers, leaving many of the exploited companies liable for the theft. Although the attackers’ code was not executed because of an inadvertent syntax error, unauthorized code was delivered to Picreel.
One Attack, Thousands of Victims
The culprits are groups known as “Magecart” (a play of words on “Magento”), professional cybercriminals focusing on skimming payment information. The Magecart attacks are distinct because they exploit third-party scripts used by thousands of websites. Most websites today rely on dozens of these scripts, so this approach enables a single hack to affect nearly every website that uses the component.
This latest attack involved Picreel – the gold-standard of Conversion Rate Optimization (CRO) services. Picreel is trusted by Forbes, Saxo Bank, Virgin Mobile, and other top brands. Companies that rely on potential customer conversion probably use Picreel or another similar service.
Payment services are not the only functions at risk – any interaction of by customers on a website might be recorded using a Magecart-style attack. Most websites rely on a complicated web of third, fourth, and fifth-party software to provide functionality – anywhere from essential Search Engine Optimization to convenient editing and engagement tools. And because the most critical services, like Adobe’s Magento, are trusted and few in number, an attack against an infrastructure like this can violate the trust of hundreds of thousands of websites simultaneously.