Magecart Attacks Expand to CSS

Unfortunately, there are still scenarios in which payment data can be stolen

It wasn’t all that long ago that the idea of spending money online by entering your credit card details on a website sounded fraught with risk. Today, in an age in which the biggest retailers predominantly exist online rather than offline, this doesn’t seem such a big threat anymore. Buying an item over the internet is seamless and, so long as you trust the company or vendor you’re purchasing from, it doesn’t seem any riskier than spending money elsewhere.

Most of the time, that’s entirely accurate. Unfortunately, there are still scenarios in which payment data can be stolen — even in instances where the vendor you’re making a purchase from is eminently trustworthy. This is where the cyber security threat of web skimming comes into play.

Definition of a web skimmer

A web skimmer refers to a specific type of internet credit card-related fraud in which attackers compromise a website by using malicious code in order to steal payment information. With websites growing more complex all the time, it’s possible for attackers to insert this fraudulent code, and for it to sit there on websites for a sustained period of time, siphoning off customer information as it does.

These attacks can even affect major retailers — such as when British Airways had approximately 380,000 customer card details stolen in 2018. During the web skimming attack in question, which lasted for around three weeks, malicious code on both the airline’s website and its mobile app meant customers purchasing plane tickets had their credit card information — along with names, billing address, and email — forwarded to a private server in Romania.

A similar attack, which affected 40,000 customers, was targeted at ticket vendor company Ticketmaster.

The Magecart consortium

The most famous web skimming entity is Magecart, a consortium of hackers who go after online shopping cart systems — most frequently Magento — in order to steal payment card data. These attacks, which are also referred to as supply chain attacks, can provide a lucrative reward for hackers by providing them with a stream of data they can use to enrich themselves.

As with any cyberattack, over time web skimmers have changed up the way they operate in order to avoid detection, and take advantage of new vulnerabilities they can capitalize on. One recent example of this is hackers hiding web skimmers in websites’ CSS files. CSS files refer to Cascading Style Sheets. They’re a cornerstone of internet technology, much like JavaScript and HTML, which describe the presentation of documents written in markup language like HTML. CSS files contain code detailing the different colors of page elements, font settings, text size, and similar.

Over the past 10 years, CSS language has grown increasingly complex as CSS has become a more powerful tool in its own right. Unfortunately, hackers have been taking advantage of this by finding ways to modify CSS files using malicious code — thereby allowing their data-swiping attacks to go undetected. This is because embedding their code in CSS files is one way to get around automated security scanners, and maybe even manual security code checks, without raising the alarm.

Do a good job of protecting yourself

The use of Magecart attacks exploiting CSS files is just one more example of how cyberattackers continue to evolve. For this reason, vendors must do a better job of regularly inspecting the code running on their websites in order to protect customers (and themselves) against such attacks. This kind of source code review is a “must” for any vendor operating an online store.

To make protecting yourself more straightforward, it’s strongly advisable that vendors consider a tool like a Web Application Firewall (WAF). WAFs can be deployed as a means of inspecting incoming and outbound HTTP/S traffic to a web application, and filtering out any malicious traffic. A good WAF will utilize threat intelligence, based on things like known attack patterns, in order to work out which traffic shouldn’t be able to reach a particular application. In the case of Magecart attacks, WAFs can detect and block attacks that target vulnerabilities known as being exploited by cyberattackers. A Web Application Firewall is therefore a very valuable tool that could make a major difference when it comes to a business that’s under attack.

Web skimming attacks can be devastating. They harm both customers and vendors alike, and are only becoming more of a problem as time goes on. During the current COVID-19 coronavirus pandemic, more people than ever are relying on the internet as essential infrastructure that allows them to do their shopping. This only further incentivizes wrongdoers who seek to capitalize on the opportunity to steal valuable data.

By deploying the approaches described here, you can help fight back against them. For the good of the people who want to do business with you, it’s the best, smartest and — in some ways the only — option that’s available. Use it as best you can.

Join the BIoR to be part of creating excellence in recruiting standards & service

Send this to a friend