The Growing Threat of Web Skimming Attacks in Retail
Magecart was certainly one of the most infamous names in 2020 when it came to cybercrime in retail.
Just a few years ago, the notion of having cybercriminals silently place a skimmer in your own e-commerce website would sound absurd. Yet, to date, thousands of retailers have been breached, unknowingly allowing attackers to steal their customers’ credit card information.
Publicly disclosed figures show that at least 830,000 shoppers had their credit card information stolen in a Magecart attack. However, the real figure should be much, much larger. Take, for instance, the breach of JM Bullion, a precious metal online retailer that had an active web skimmer for 150 days. While the company officially stated that “these scenarios represented a small portion of the transactions processed on JM Bullion's website,” the company has processed over $3 billion in transactions over the last eight years — and no official tally of stolen payment data has yet been disclosed.
This fast-growing list of enterprise retailers that have been breached by web skimming attacks includes companies like Claire’s, Macy’s, Intersport, and Tupperware. And according to research on the modus operandi of different Magecart groups, some are adapting the skimmer and the infection strategy to maximize their chances of successfully infecting a specific retailer.
Why are these huge corporations unable to protect themselves against this threat? The short answer, it seems, is that they’re using the wrong tool for the job.
Magecart attacks are unlike anything that online retailers have faced before. They can inject malicious code into a website without ever touching the website’s server. Instead, they often use a web supply chain attack, injecting the skimmer into a third-party service (e.g., live chat, analytics tool, website plug-in, etc.). Then, the skimmer starts being served by the target website, intercepting the website’s payment form (hence, why it’s also known as “formjacking”) and sending the stolen credit card data to attackers’ drop servers.
I've directly interacted with the security teams of several retailers, and one thing is clear: while the vast majority are aware of Magecart, they often turn to approaches like using a content security policy (CSP). In theory, CSP seems like a good candidate: it restricts the scripts that are allowed to load on the website and restricts sending data only to whitelisted domains. However, it can be bypassed.
Research shows that 94 percent of CSPs based on whitelists are bypassable. But even if we ignore that fact, one of the key issues with CSP is that it lacks granularity. If a domain is whitelisted by CSP, any type of data can be sent to that domain, even if it’s credit card data or personally identifiable information (PII). Then, there’s also the problem of maintenance, as making sure that CSP works as intended is a time-consuming manual process, especially given that e-commerce websites are evolving with the frequent addition of new external scripts.
These are just some of the many pitfalls of CSP. Sooner or later, security teams understand it isn’t suitable for addressing Magecart attacks.
Instead, because web skimming attacks are so particular and have so many nuances, they require a dedicated approach. I’ve long advocated that the most effective answer to Magecart attacks is focusing on client-side malicious behavior. A script’s attempts to touch a payment form or send data out to an unvetted domain are clear examples of potentially malicious behavior, and one that's present in nearly every Magecart attack. If we're able to detect this malicious behavior in real time and block it, we can block Magecart attacks, whether they're using known approaches or new ones.
In the last few years, we’ve seen several promising technologies when it comes to detecting and preventing web skimming attacks. So much so that it sometimes can get overwhelming to navigate these different solutions and the specific technologies that they leverage. Because it’s critical that retailers know how to properly address web skimming attacks, I’ll go through the specific technical tests that should be done in part two of this series, How Retailers Should Address Magecart Web Skimming Attacks.
Chief technology officer and co-founder of Jscrambler, Pedro Fortuna has extensive experience in academia and as a security researcher.
CTO and Co-Founder of Jscrambler, Pedro Fortuna has extensive experience in academia and as a security researcher. Pedro has co-authored several application security patents. He is an active member of the AppSec community, contributing to OWASP and regularly speaking at events such as OWASP AppSec USA, DEFCON, and BSides SF.