Magecart attacks refer to a common method of online fraud that have been around for almost a decade, and they continue to pose a serious threat to almost every financial organization, especially as e-commerce fraud becomes a growing concern. 

Security researchers say that Magecart groups have been active since at least 2016, and they are responsible for a string of high-profile attacks on websites such as Ticketmaster, British Airways and Newegg in 2018, as well as hundreds of college campus bookstores in the U.S. in 2019, and the WordPress WooCommerce attacks of May 2020.

Magecart groups have modernized their attack methods, but the modus operandi remains the same – they seek to find ways to hack websites’ shopping carts, often by exploiting third-party Javascript code, in order to steal customers’ credit card data and personal information. Typically, the attackers will covertly inject malicious code into the checkout page of online retailers, which feeds the stolen information back to their servers. From there, it’s sold to other cybercriminals. 

These days, there might be fewer reported Magecart attacks, but that doesn’t mean these groups have gone inactive. In fact, many experts believe that the decline in the number of headlines simply means they have become more selective in their targets, allowing them to operate under the radar. But we still see the stories surfacing of Magecart-style online fraud that reminds us of the extreme risk such attacks can pose to e-commerce websites and the financial companies that serve them. 

How Do Magecart Attacks Work?

Magecart takes advantage of the reality that very few companies create their own digital checkout solutions. Instead, more than 99% of e-commerce websites rely on third-party tech that is injected via JavaScript, using code supplied by companies that specialize in creating shopping carts for online retailers. 

Although this practice is cost-effective and convenient for merchants, JavaScript code often contains vulnerabilities that hackers can exploit. Once an attacker manipulates the JavaScript, they can often access various other parts of the website in question, and read and store any personal information entered into those pages. 

Part of the problem is the architecture of modern websites. Due to the lack of hierarchy between the various bits of code they use, each one effectively has access to the others. So it only takes one vulnerability to bring the entire house down, so to speak. By exploiting a single line of code provided by a third party, it’s possible for hackers to skim the details associated with subsequent transactions processed on that website. 

As one of the most flexible online fraud methods, Magecart provides a way for hackers to interfere directly with browser sessions, steal information, and create their own content or forms to gather even more information. This is why Magecart is also one of the most dangerous of all online threat types. Worse still, most companies don’t even try to keep track of the changes made to the third-party code they use. Very often, they simply serve that code without examining what it might actually do. 

A Lucrative Endeavor

The primary goal of most Magecart attacks is to steal payment card data, but that information alone is not enough to get rich quick. The threat actors must then use this information to create fake credit cards that they can then go and spend online or in physical stores. 

Most Magecart groups simply take the data they steal and advertise it for sale on dark web “Carding” forums, where they can also find payment card details stolen in other ways, such as through ATM skimming and hacks on banks and payment providers. 

Those payment card details are bought by criminals who create fake cards and then use them to purchase expensive products, which are then resold on the black market. It can be a very lucrative business, and ultimately it’s the banks that suffer, as most countries have laws that mandate their customers be reimbursed. 

Although it's usually the banks and payment card providers that suffer the financial hit, it’s still in the best interests of e-commerce site managers to protect themselves against Magecart, as such attacks can have an extremely negative impact on their brand’s reputation. 

Magecart Attack Mitigations

To mitigate Magecart attacks, online sellers should employ a “zero-trust” approach to the JavaScript code they utilize. This should start with a policy that blocks any script from being able to access the sensitive data users enter into web forms. Once this is implemented, companies can manually select whatever vetted scripts absolutely must have access to this information. By taking these simple steps, it means that hackers will not be able to access sensitive data, even if they do successfully inject their malicious code into the website. 

The main issue with implementing this policy is that web browsers do not provide this functionality as a default. As a result, IT teams must create their own protection policies, and that can be a tricky business, requiring skilled personnel or, more likely, the assistance of specialized cybersecurity service providers. 

Websites can also implement a Content Security Policy header, which helps to protect against clickjacking and cross-site scripting techniques that are used to inject the malicious code. Furthermore, a CSP can block data exfiltration by implementing allowlists for trusted network locations only. When this is done, it means data cannot be sent to any location that hasn’t been whitelisted, essentially blocking the cybercriminal’s own servers. 

Further protections against Magecart include “inline frames,” which only allow websites to upload third-party code to a restricted environment. Finally, companies can also implement what’s known as real-time JavaScript sandboxing, whereby the web server initially only allows users to access a virtual version of the website. These virtual pages then manage the interactions between the third-party code and the website, enabling them to be closely monitored for code-injection attempts. Should the virtual site detect malicious behavior, it will simply isolate this and prevent it from being shown to the user. 

It’s a real-time Magecart prevention technique that also helps website owners to quickly recover should they find they’re being targeted. 

A Duty to Protect Users

Magecart attacks continue to be one of the most persistent and dangerous of digital financial fraud threats, and can be especially damaging to the vendors that serve online retailers. Businesses cannot afford to ignore these threats, as those who do could wake up in the center of a firestorm from which they might never recover. 

When building an e-commerce website, businesses must spare no expense in securing it from Magecart and other cyber threats. They have a duty to protect not just themselves and their reputations, but also their customers and financial services providers too.