Kroll has investigated many different tactics that threat actors use to steal consumer data on e-commerce sites. These types of attacks can be especially damaging for organizations that are responsible for storing customers’ personal and financial information that is collected during transactions.
One of the most long-lived and persistent threat actor groups is Magecart. Technically, Magecart refers to the multiple cybercriminal groups known to exploit vulnerabilities within Magento e-commerce panels to steal payment card data, personally identifiable information (PII) or credentials through online skimming.
Many of the actors’ methods involve injecting malicious code into e-commerce checkout pages to steal credentials or modifying paths to checkout pages that lead users to enter their payment information on a fake checkout form.
Tactics, Techniques and Procedures
Kroll experts observed one Magecart tactic where attackers inject malicious skimmer code via image files. The malware was designed to mimic a “favicon,” also known as a favorite or shortcut icon, which actors used to modify a file path that leads to a fake .png file. This so-called .png file was then used to load a PHP web shell script to a server that allowed a threat actor to execute commands or maintain persistence within a compromised system. This tactic is more difficult to detect because the web shell injects malicious skimmer code on the server side. In other attacks, actors have created .jpg files and used them to store data they have skimmed until they are able to retrieve it.
Kroll has also observed Magecart attackers modifying paths to checkout pages, leading customers to enter details on a fake checkout form. The attackers captured and exfiltrated online checkout information via a skimmer script. Once the victim enters payment information and hits the submit button on a form, the skimmer can exfiltrate the information to a domain that is owned by the threat actors. From there, the threat actors will pre-fill a fake PayPal payment form in place of legitimate forms. The skimmer will then click the order button behind the malicious iFrame to send the victim back to the legitimate checkout page. This tactic lends credibility to the fake PayPal payment form since autofill is commonly used when checking out from e-commerce sites.
Magecart attackers use various other techniques, from using legitimate websites that contain obfuscated source code to hide malicious skimmer code, to pooling IP addresses to reduce the risk that actor-controlled servers will be taken down. Actors have also used persistent skimming attacks that include running a hidden system process to restore skimmer code to a compromised e-commerce site after being already discovered and removed.
Figure 1 – Example of a threat actor tagging and exfiltrating data
Best Practices and Mitigation
- In August 2021, updates were released for Magento Commerce and Magento Open Source edition platforms that fixes 26 known vulnerabilities. Magento site administrators are advised to install any updates as soon as possible. Unlike most applications, Magento updates must be installed cumulatively in sequential order, rather than updating to the most recent update or patch.
- Magento store administrators should complete regular auditing of third-party e-commerce code, including code from online advertising vendors. Administrators are also advised to host third-party scripts on their own infrastructure to minimize the risk of a third-party compromise which can be leveraged against their web stores. Additionally, Magento administrators should implement multifactor authentication (MFA) in front of their admin panels. This can include a password coupled with a token, card, key, PIN or biometrics, which will greatly decrease the likelihood of unauthorized access.
- End-users can protect themselves against digital skimming attacks by assuring that they perform online shopping from a secure network, preferably using a VPN, and avoid shopping while connected to public Wi-Fi networks. Users should also avoid saving payment information in web browsers, assure that they are shopping from trusted businesses and check for “https” within the site URL before making an online purchase.
Representative Attack Patterns
Kroll has seen a series of Magecart attacks where threat actors have written code that included cardholder data rights to a customer’s database. In these instances, customers were unable to detect any illicit activity within their site since the vast majority of the activity was happening within their own legitimate database.
Threat actors would later use an existing web shell to query the database table they’d created, or set an auto exfiltration timer, such that any net new data would be re-queried at a set cadence, often daily or twice daily. This minimized the need for threat actors to return to victim environments and manually exfiltrate data, essentially creating a never-ending stream of fresh cardholder data.
Dan Ryan, Associate Managing Director in our Cyber Risk practice, provides three important steps for protecting your e-commerce platform from Magecart attacks:
- Make sure MFA is enabled in front of any and every admin panel or content management system (CMS).
- Implement a hosted iFrame with a merchant acquirer to ensure transactions are secured.
- Regularly conduct test transactions to ensure that the iFrame is working as intended.
Securing your e-commerce platform is crucial to protecting yourself from Magecart attacks. Enabling MFA for every admin, implementing a hosted iFrame with a merchant acquirer, and regularly testing transactions can help keep your online store safe. For further guidance, contact one of our Kroll experts at one of our 24x7 cyber incident response hotlines or connect with us through our Contact Us page.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.