Reflectiz Detects New Magecart Malware on Shopify CDNs
TEL AVIV, Israel, June 13, 2023 — Continuous website security monitoring platform Reflectiz has released a new case study detailing its successful response to the latest evolution in the long-running saga of Magecart web-skimming and keylogging attacks. It presents a detailed but easily digestible analysis of how cybercriminals launched attacks on global brands using the Shopify platform during Spring 2023, and how Reflectiz discovered them.
Large-scale Magento attacks have been reported since 2015 and the fact that they’re still happening is due in part to the popularity of the platform. Some of its attraction lies in its versatility. Developers can easily enhance its functionality with third-party apps, but they also present opportunities to attackers because they can be invisible to traditional embedded security solutions.
There are 270,000 Magento-powered sites on the web and between them, they process $155 billion worth of transactions a year, so when the third-parties in question handle credit card payments on such shopping sites, it comes as no surprise that the attackers are so keen to bypass the latest security updates with sophisticated new methods.
Reflectiz discovered a novel approach to skimming online shoppers’ credit card details earlier in the year when its continuous security monitoring platform detected potentially problematic activity on Shopify websites. The case study walks readers through an attack that used a compromised favicon and fake Shopify stores on its Cloudflare-hosted CDN to trick shoppers into handing over their credit card details.
Skimmed information like this frequently ends up for sale on the Dark Web where other criminals use it to defraud the victims. Thousands of them may pursue a compromised retailer through the courts for damages, and the business may also be penalized by the payment card industry for breaching its rules.
Reflectiz’s detailed analysis of its successful response makes for intriguing and reassuring reading.