With Black Friday and Cyber Monday just a week away, an expert with Juniper Threat Labs offers insight into why Magecart attacks are likely to be on the increase for the 2020 holiday shopping season, and what hyper-connected enterprises can do to help defend against them.
E-commerce and retailers are at substantial and increased risk of Magecart attacks this year, largely because the site plug-in providers are a vast, unmonitored and leaky supply chain for most online retail websites. The average online retailer website has 39-40 external sources of Javascript alone, not counting CSS code. In most organizations, no one person tracks who added them or why and through what vetting process, if any.
The ecosystem at website-level continually expands, forming a gargantuan supply chain that no one knows exists. This problem is far bigger than the owner of the domain can address on their own.
Vulnerability scanning does not pick up every sort of injection attacks that Magecart thrives on.
Of the four techniques of injecting malicious code, three are done through supply chains and just one through direct code injection.
Ongoing pen testing of sites and auditing of source code is sorely needed, but third party site builders often don’t take this on as their responsibility – it’s not their reputation at stake, but the site owner’s brand’s. Examples of plug ins include ad servers and shopping carts with plug-ins such as “rate this” on payments pages.
Magecart is more of a threat in 2020 than ever before, both because: a) more shoppers have moved online so the volumes are higher, and b) in the rush to introduce new online and curbside services during the pandemic, far more new plug-ins and APIs were added, creating new potential vulnerabilities.
Shifting to crypto payments won’t reduce Magecart vulnerability. The Masad Stealer is an example of an attack that is on the victim’s browser. When they enter the information for the party they intend to pay, the stealer replaces it with their own and the outbound payment is routed to them.
Steps toward solutions that retailers should consider include Sub Resource Integrity (SRI), which will assure that content doesn’t get edited along the way. Most sites are edited by multiple third parties like content delivery networks.
Also, Content Security Policies, which are policies supported by browsers and web servers that say “Here are the only domain names allowed to fetch executable scripts from on my behalf.” In the retailer’s code, rules should authorize only those few approved domains. This would close several avenues that Magecart uses to infiltrate Javascript. Other recommendations include:
1. Companies must also ID all third-party e-commerce providers and advertisers they work with and ensure that they do continuous self-assessments and audits. The best way to do this is to require their code be audited by a trusted third-party. To then avoid supply chain injections, the company must host that third-party code themselves if possible and not fall for the ease of inclusion by reference. Then they need to keep it up to date with security patches.
2. Test everything – for example, inject their own Javascript code into the browser and review what’s happening. There are tools to do that.
3. Ensure scanners have access to critical flows, such as shopping carts.
4. Javascript virtualization – it’s important to keep an eye on performance, as delays can be detrimental to overall company goals.
The biggest problem is a people problem – not with users and consumers, but with the organizations themselves. They don’t see the massive amount of unmanaged third-party plug-ins as vulnerabilities, so the problem continues.”
E-commerce and retailers are at substantial and increased risk of Magecart attacks this year, largely because the site plug-in providers are a vast, unmonitored and leaky supply chain for most online retail websites. The average online retailer website has 39-40 external sources of Javascript alone, not counting CSS code. In most organizations, no one person tracks who added them or why and through what vetting process, if any.
The ecosystem at website-level continually expands, forming a gargantuan supply chain that no one knows exists. This problem is far bigger than the owner of the domain can address on their own.
Vulnerability scanning does not pick up every sort of injection attacks that Magecart thrives on.
Of the four techniques of injecting malicious code, three are done through supply chains and just one through direct code injection.
Ongoing pen testing of sites and auditing of source code is sorely needed, but third party site builders often don’t take this on as their responsibility – it’s not their reputation at stake, but the site owner’s brand’s. Examples of plug ins include ad servers and shopping carts with plug-ins such as “rate this” on payments pages.
Magecart is more of a threat in 2020 than ever before, both because: a) more shoppers have moved online so the volumes are higher, and b) in the rush to introduce new online and curbside services during the pandemic, far more new plug-ins and APIs were added, creating new potential vulnerabilities.
Shifting to crypto payments won’t reduce Magecart vulnerability. The Masad Stealer is an example of an attack that is on the victim’s browser. When they enter the information for the party they intend to pay, the stealer replaces it with their own and the outbound payment is routed to them.
Steps toward solutions that retailers should consider include Sub Resource Integrity (SRI), which will assure that content doesn’t get edited along the way. Most sites are edited by multiple third parties like content delivery networks.
Also, Content Security Policies, which are policies supported by browsers and web servers that say “Here are the only domain names allowed to fetch executable scripts from on my behalf.” In the retailer’s code, rules should authorize only those few approved domains. This would close several avenues that Magecart uses to infiltrate Javascript. Other recommendations include:
1. Companies must also ID all third-party e-commerce providers and advertisers they work with and ensure that they do continuous self-assessments and audits. The best way to do this is to require their code be audited by a trusted third-party. To then avoid supply chain injections, the company must host that third-party code themselves if possible and not fall for the ease of inclusion by reference. Then they need to keep it up to date with security patches.
2. Test everything – for example, inject their own Javascript code into the browser and review what’s happening. There are tools to do that.
3. Ensure scanners have access to critical flows, such as shopping carts.
4. Javascript virtualization – it’s important to keep an eye on performance, as delays can be detrimental to overall company goals.
The biggest problem is a people problem – not with users and consumers, but with the organizations themselves. They don’t see the massive amount of unmanaged third-party plug-ins as vulnerabilities, so the problem continues.”