The DSS, MageCart, and the DOM – Part 3 e-Commerce Skimming

Posted by David Gamey on 05 Aug 2021.

Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants, governments, healthcare, critical infrastructure are continuously being targeted with ransomware, Cloud leaks, Supply-Chain, and Payment Card Data e-skimming attacks. Multiple gangs of cybercriminals, including several operating with the blessing of foreign governments, are hard at work breaching merchant cyber-defenses using some sophisticated tricks known as “MageCart”. And more often than not, the cybercriminals are wining.

Welcome to part three of our series of articles on e-commerce security and compliance. In part 1 of this series, we looked at the rules the PCI DSS compliance framework uses to measure e-commerce security. And in part 2, we demonstrated some important JavaScript risks. In this part, we will look at e-commerce skimming and MageCart attacks, as well as other sources of data leaks.

Types of e-Commerce Breaches

There are two main types of breaches: active thefts and unintentional leaks

Active Theft - Criminals interested in stealing credit cards are always innovating attacks to get at easily monetized data as quickly as possible and at scale. As most of the world moved to EMV, major point of sale breaches appear to be easing, and card-not-present transactions became an increasingly tempting target. Shopping carts, their linkage to payment pages, and widespread misconceptions about scope, compliance footprints, and appropriate security mechanisms relating to these systems provided a perfect opportunity for cyber-criminals.

Unintentional Leaks - While typical leaks will include things like lost unencrypted media and misconfigured cloud storage, there is an often overlooked area. There is an entire sub-industry of web replay and analytics providers using tools and techniques to collect keystroke by keystroke data and replay entire web sessions. Systems using these tools can be easily misconfigured and often exfiltrate unintended data. In some cases the tools transmit data unencrypted. And many third party analytic services are not PCI DSS compliant (See Learn More below).

What is MageCart?

Attacks on web shopping carts running on the Magento framework were a popular early target to steal credit card data, and became known as Magento Cart or “MageCart” attacks. The term quickly evolved to cover JavaScript skimmers in general and the criminal gangs using them. Currently there are more than a dozen MageCart gangs including some groups linked to nation states.

How Does it Work?

Several methods are used to compromise online shopping carts and payment pages. They are not limited to one type of implementation and affect both direct post forms and redirection using IFRAMEs or URLs. Criminals can directly modify the web site or indirectly modify a third-party JavaScript site. They will use their foothold to change various parts of the site including the form, IFRAME, URL, or add JavaScript hooks to those elements giving them access to all the information in the cardholder's browser Document Object Model (DOM, see Part 1 and see Part 2).

MageCart groups innovate and continuously adapt to improve their methods. Some of the techniques used include reclaiming expired domains, spoofed websites, look-alike (homoglyph) domain names, plugins, mass exploitation, code obfuscation, evasion techniques, unsecured AWS S3 buckets, and advertising servers tainted with malicious images and metadata.

As an example of this type of innovation, the evolution of Artificial Intelligence (AI) and Machine Learning (ML) are being leveraged to find new ways to exploit systems. Researchers recently demonstrated how to smuggle malware inside of machine learning models.

Who’s been breached?

MageCart attacks and techniques make regular appearances in our weekly [in]Security news summary and have been covered in nearly 1 in 3 of our issues and over 40 significant breaches to date.

Active since at least 2015, MageCart groups have compromised hundreds of thousands to potentially millions of web sites. Often, these groups compromise large numbers of sites through third parties in the hope of snaring a subset of lucrative payment sites. MageCart groups have been implicated in a number of high-profile breaches including British Airways, Ticketmaster, Braintree/Paypal,Newegg, Macy's, Forbes, Sotheby's, The Atlanta Hawks, Smith & Wesson, Salesforce Heroku, NutriBullet, Tupperware, the Olympics, Click2Gov Cities, Volusion, hotel chains, and charities.

Typically in these situations, the third party service providers bear the load of responsibility and are held accountable for larger web security issues within their environment. However, brand damage is still a major risk.

Defenses?

MageCart is a classic arms-race between criminals and legitimate business. The current PCI guidance helps but is not sufficient because the controls are not designed to protect against all aspects of this threat. There are hopes for improvements in the upcoming PCI DSS v4.0, but no details have been made public so far. Organizations should not rely on PCI guidance alone to solve Magecart and should look to industry best practices to help ensure comprehensive controls are in-place. Beyond PCI there are open standards and initiatives such as Content Security Policy, Subresource Integrity, and tools like URLscan. There are also a number of commercial solutions claiming to help (See Learn More below).

Summary

MageCart attacks are a major risk to e-commerce. The techniques exploiting ecommerce sites are constantly evolving, adapting, and improving. Many high-profile organizations have been breached. Current PCI DSS controls and guidance are not designed to stop the methods used by these groups. Additionally, there is a tremendous potential for MageCart type attacks to compromise ecosystems beyond payments and e-commerce.

Our review of the available information related to many of these breaches leads to several observations. Firstly, several of the breached merchants appear to have misidentified their compliance footprint and were clearly not compliant. Secondly, although several other merchants may have been operating shopping carts based upon the current PCI DSS guidance they were ultimately breached through third-party JavaScript. This last observation suggests that the current PCI guidance is insufficient and needs adjustment.

Learn More

Alerts

Breaches

Web-replay software

Defences

Note: The list of solutions above is not complete nor have we evaluated or compared their effectiveness or cost (i.e. it's just a list for for further investigation and not a recommendation).

Evasion, Infection, and Exfiltration

The Gangs