“The data theft occurs in the user’s browser, outside the scope of corporate monitoring tools”
2018 saw numerous high-profile digital credit card-skimming attacks against major international companies, writes Yonathan Klijnsma, head of threat research at RiskIQ. They include the likes of Ticketmaster and British Airways, which were both targeted by the threat group, ‘Magecart.’
This led to the group garnering unprecedented attention; WIRED named it as one of the eight “most dangerous people on the internet in 2018”. Security professionals now have Magecart firmly on their radar – but must remember that the group is continuously evolving, as seen recently with previously undocumented Magecart Group 12.
Strength through Evolution
Magecart is becoming a more significant threat as it continues to scale and evolve. The term, ‘Magecart’, encompasses a wide range of groups that are all joined together by the same goal – to conduct web form skimming campaigns that help them amass payment information that can then be monetised. There are currently approximately 12 groups – the twelfth being only recently published on by RiskIQ– and there are more to be published on in the near future.
These groups are ambitiously harnessing what are proving to be especially successful tactics, one of the most notable being web supply chain attacks. While older attacks have been attributed to Magecart Group 5 we have recently seen another group adapt this tactic. Group 12 that has taken the web supply chain attack in a new direction.
The Widening Scope
In a campaign against the French advertising agency, Adverline, observed in November 2018, Group 12 managed to victimise thousands of websites by successfully using the site as a mechanism for widespread delivery of its skimmer code.
It carried out the attack against Adverline by compromising a content delivery network for advertisements, inserting a small script snippet containing an encrypted URL.
When a user visited a website with an ad coming from Adverline’s ad inventory a script containing the skimmer code was loaded from that URL. This compromise came just two months after the group had built out its infrastructure; meaning domains were registered, SSL certificates were set up, and the skimming backend was installed. While this has been done before, what sets Group 12 apart is that it is launching these web-based supply chain attacks in a more effective way than has been done previously and with increased reach.
It goes without saying that when third party code is compromised, the sites of all the organizations that use it are also compromised. It is by perfecting this method that a couple of the Magecart groups can gain access to such wide ranges of victims all at once.
Catching Businesses Off-Guard
In the months and years to come, it is likely that new variants of these sorts of web skimming attacks will continue to be developed, either by current, or new Magecart groups. While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen.
For businesses, this means that there needs to be a continued focus on visibility into internet-facing attack surfaces, and an increased scrutiny of third-party services that form an integral part of modern web applications. What Magecart’s recent ravages have shown is that a lot of the investments that have been made in securing corporate infrastructure have not worked, which is why companies will continue to be overwhelmed by the scale and tenacity of groups of its kind, especially as attacks are launched from outside the firewall and the data theft occurs in the user’s browser, well outside the scope of corporate monitoring tools.
What Difference Does It Make?
Consumers are at an increased risk of seeing their personal information compromised as a result of this development, since it is they who sit on the valuable data. Magecart Group 5 and Group 12 have capitalised on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.
What all of this means is that even if a company’s own security measures are strong, they will fall on the weaknesses of third parties, many of which are unknown to the security team. Development teams need to be aware of the potential risks is using these services and should work with the security team on ensuring they are assessed, monitored and managed.
What’s more, with the increased efficiency of credit-card skimming groups the time it will take for a large number of consumers to have their data stolen, seemingly out of nowhere, is decreasing quickly. In the end, it doesn’t matter to consumers whether their data is stolen as a result of a traditional breach or a web-based supply chain attack. What is at stake is the reputation of organisations that run payment forms online, and the overall confidence of online shoppers.