Content Security Policy (CSP):

Not Exactly a Magecart Vaccine

Content Security Policy (CSP): Not Exactly a Magecart Vaccine

This article was originally published by LOGON’s partner Reflectiz. To view the original article, please click here.

With millions of buyers escalating their online activity ahead of Black Friday and the holiday season, it’s important for eCommerce websites and online businesses to combat Magecart and web-skimming issues proactively and relentlessly. Reflectiz takes a deep dive into the matter, whether the proven and tested Content Security Policy (CSP) can get the job done.

Magecart: Wreaking Havoc Worldwide

Magecart essentially involves hacking groups that specialize in gaining unauthorized access to websites, often by injecting malicious code into shopping pages or by exploiting code vulnerabilities. The weakest link nowadays is third-party applications, a mainstay in the eCommerce space.

Many Magecart attacks have been exposed in recent years. For example, over 10k online shoppers were attacked in September 2020 in what was identified as a zero-day Magento exploit and one of the largest campaigns to date (sold in the dark web). Almost 2000 eCommerce websites (checkout pages) were targeted with a payment-card skimmer.

Magecart attacks come in two forms, with the first one targeting the main website or application by injecting malware directly into it ( this methodology is more complicated to execute and also less common). The other, which is more common, focus on loading malicious scripts via trusted third-party vendors.

Either way, malicious JavaScript is used to skim data from HTML forms and send that data to servers controlled by the “bad guys”.

This methodology creates exploits with the help of JS code to detect sensitive user activity, with shopping cart checkouts being the most desired one due to the involvement of payment details and personal information. Thousands of websites are still holding malware as we speak.
Online businesses are extremely wary of Magecart because it is just more than an online skimmer plague. These attacks are evolving at a rapid pace, an armed battle between the ever-advancing malicious attacks and the defenders, trying to block them, with CSP being just one of them.

What is Content Security Policy (CSP)?

Content Security Policy (CSP) is a computer security standard introduced in 2004 to combat malicious activity such as cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in trusted webpages (e.g – your iHerb.com checkout page).
Putting CSP into action requires the addition of a Content-Security-Policy HTTP header into the webpage and assigning the required values to fully control the resources your user can load. These elements can be pictures, videos, and forms. By doing so, it makes it harder to pull off Magecart attacks. There are three techniques to enforce CSP delivery:

• Content-Security-Policy – This is the most commonly used name recommended by Chrome, Safari, and other WebKit-based browsers.
• <meta>– These elements have to be placed within documents as early as possible, with http-equiv attribute set to Content-Security-Policy
• Content-Security-Policy-Report-Only – This is an HTTP response header field that devs use to monitor CSP behavior instead of enforcing it

Furthermore, you are required to write a well-planned policy to make your CSP work effectively. These are a predetermined set of directives that determine what resources (fonts, images, multimedia, and most importantly scripts) will be needed and used for a safe and secure browsing environment. This mandatory requirement is also a weakness, making CSP a true double-edged sword.

To discover how CSP works and whether CSP is enough to obtain security protection from Magecart, continue reading the article here

How to avoid MAGECART attacks?

Get effective protection against Magecart and attacks other eSkimming threats with our user-friendly solution.