Threat Alert – Armor Warns Online Retailers of Increased Attacks

Magecart-Style, Credit Card Sniffing Attack Tool, Like One Used in British Airways & Ticketmaster Breaches, is Now On Sale in the Dark Web

Armor, a leading cloud security solutions provider,  has found what it believes to be the first Magecart-style (credit card sniffing) attack tool to be openly offered for sale on the Dark Web.  Previous Magecart-style attacks, (such as the British Airways and Newegg attacks for example), have been carried out by specific threat groups who have, from all accounts, used their own proprietary payment card sniffing tool and not a sniffing tool which has been openly sold on the Underground Hacker Markets.  According to the ad posted the first week of December, this Magecart-style attack tool is new and is being sold for $1,300 USD.  The ad is on a Russian forum, and the threat actors selling the tool has been active in the Russian forums for over a year.  He has purportedly also developed and made available for sale a banking trojan for the Android mobile operating system.

The Magecart-style attack tool is being advertised as containing two components:  a standard universal (payment card) sniffer and a control panel.  The control panel can be used to generate a custom credit card sniffer (JavaScript file) to work with any e-commerce site that employs Magento, OpenCart or OsCommerce payment forms. The payment card sniffer tool essentially watches for new payment card data being entered by shoppers into the payment form on the checkout pages of the  e-commerce site you are targeting.  The payment card data is collected by the sniffer and sent off to a remote server under your control.  Additionally, the tool also uses Secure Socket Layer (SSL) protocol to encrypt the outbound payment card data being collected, making it harder for security teams to see the data being exfiltrated from the e-commerce site.

Less than a month ago, on November 30th, Armor’s Threat Resistance Unit (TRU) released a Threat Alert, stating  that it expected to see an increase in Magecart-style attacks coinciding with the holiday e-commerce rush, and as a natural next step in the evolution of Magecart attacks, stemming from the increased attention and reporting brought on by successful compromises reported over the last several months, including Ticketmaster, British Airways, Newegg and multiple third party plugin providers. The TRU Team predicted that, as part of this natural next phase, there would be an increase in instances of low-sophistication Magecart copycat attacks, similar to what was seen in the outbreaks of Cryptominers and Ransomware over the last couple of years.

In the opinion of TRU senior security researcher Corey Milligan, “This attack tool represents the first step in the commoditization of the Magecart-style attack, creating a new line of revenue for the original Magecart threat groups while simultaneously serving to saturate the threat landscape with attempts by low-level threat actors, and thus hiding the original threat actors’ own activities that security experts are now hot on the trail of.”

Milligan also noted that, “while this tool provides low-sophistication threat actors with a powerful capability, other pieces are required to utilize the sniffer effectively, as it does not  identify vulnerable e-commerce targets using Magento, OpenCart or OsCommerce payment forms. It also does not provide a mechanism for penetrating identified targets, implant the script that will download and run the sniffer in a browser, or provide a secure, non-attributable server to collect the harvested credit card data.”

In the hands of a low-level threat actor, the TRU team believes this tool will mostly likely be plugged into a process that involves the automated scanning for and the indiscriminate attacking of vulnerable e-commerce sites, even ones that don’t have the applicable payment form.  “We expect to see a mass of “Hail Mary” attacks, with the cybercriminals  intent on hitting as many sites as possible, hoping that some of them  will succeed and be fruitful,” said Milligan. “As the adage goes, they only have to be right once, and in this case, being right once could result in a haul of credit card data that is profitable and easy to sell on the Dark Web.”

How E-Commerce Retailers Can Protect Themselves and their Customers from Magecart-Style Attacks?

While these recommendations are ranked, Good, Better, Best, it is recommended that, where possible, these techniques are used in combination with each other to provide a layered defense.

Good

– Keep your payment page simple. Loading third-party scripts along with your payment processing page increases your risk of third-party compromise. Many third-party content providers are not focused on security. Threat actors are known to choose the softer target ,and they will not hesitate to circumvent your security by compromising a third-party you are trusting on your payment processing page.

Better

– Audit public facing web content regularly to identify unauthorized changes.

– Use subresource integrity for embedded scripts. On its own, it won’t protect you from all forms of third-party code injection attacks, but as a practice it raises your level of security and makes you a harder target.

– As a backup measure and a step to mitigate similar attacks, a content security policy (CSP) header can be employed. This additional header for web content tells the browser,  that  is accessing your site, where resources are authorized to be downloaded from. While this won’t stop the download of scripts from compromised, trusted third-parties, it does help mitigate other HTML injection attacks where the content source has been changed to an untrusted download source.

Best

– Outsource your payment processing to a third-party payment processor. While this involves trusting a third-party, all third-parties are not equal. Of course, do your homework before selecting one, but, in general, payment processors that perform this service have well implemented security practices. While there will be additional costs involved with using an external payment processor, it can also relieve you of many stringent PCI requirements that have costs of their own to maintain.

It is worth noting that the seller of the credit card sniffer code, referenced previously, specifically stated in their offering that the tool would not be effective against sites that utilize third- party payment forms, as the entering of payment information and payment processing does not actually take place on the infected e-commerce site.

After-the-fact

If you have been affected by one of these type attacks, and the third-party code supplier has taken steps to clean it up, you may still be vulnerable if you are using a Content Delivery Network (CDN) that caches content to improve performance. If this is the case, be sure to flush cached pages as one of the final steps to cleanup.

How Online Shoppers Can Protect Themselves from a Magecart Attack

As an online shopper, to protect your payment card details safe from a Magecart attack, disable JavaScript inside your browser before making a payment. Since the card skimming code is written in JavaScript, this will prevent a standard Magecart attack. (NOTE: disabling JavaScript in your browser may also cause webpages not to function. In the case that you need to leave JavaScript enabled, we recommend using prepaid cards for online purchases).

While most banks offer services to help you recover from fraud, it can take time. In the case of a debit card, the time it takes to recover stolen funds that may be needed to pay a bill is too big of a risk to take. Using a credit card reduces this risk, but an even better solution is to use a prepaid card. Prepaid cards are easy to obtain, even for those with no credit history, and they limit the amount that can be stolen via fraud to the amount of money you put on the card. Prepaid cards may not be the most convenient or cost-effective solution, but they can help keep your credit and bank account information out of the hands of criminals.

History of Magecart Attacks

As far back as 2015, intelligence organizations and security researchers, such as RiskIQ and Willem DeGroot, have been tracking and reporting about a growing trend and associated techniques for what is now being termed online credit card skimming. Magecart draws its name from its original Tactics Techniques and Procedures (TTP) discovery in which Magento content management system (CMS) instances, with shopping cart functionality, were being scanned for, targeted and attacked. Thus, you have ‘Mage’nto shopping ‘cart’, or Magecart. In this initial TTP, a vulnerability in a Magento site was leveraged to modify the source code of the site, injecting what looked like a legitimate download of a JavaScript library. In actuality, when a browser would connect to the site, it would automatically download this JavaScript file, as is common, and run it in the browser. The malware would identify the shopping cart functionality and modify it so that a copy of any credit card information that was submitted would be sent to a server owned by the threat actor.

Although the Magecart name continues to be used, online card skimming  attacks have evolved beyond targeting only Magento sites. At least six separate groups have been identified to be using a similar TTP of modifying e-commerce sites with malicious JavaScript files. The unique qualities that allow these threat actors to be singled out include variances in sophistication and target selection with the most high-profile breaches being those that have leveraged the software supply chain (Inbenta, Feedify and Shopper Approved) and those that have targeted specific high-traffic sites (British Airways and Newegg).