French fashion online store Sixth June is offering shoppers more than the latest in men and women streetwear apparel as the site was infected some time ago with code that steals payment card info at checkout. The infosec community typically refers to this type of scripts as MageCart because they initially targeted sites using the Magento e-commerce platform.
They are also called e-skimmers because they collect data from a card when it is used for online purchases. Similar to the physical skimmers copying card data when used at an ATM to withdraw cash, an e-skimmer reads and stores the info from the checkout page and sends it to the attacker.
NEW Magecart attack – Fashion Brand Sixth June. The attack was discovered by RapidSpike's Security Researcher and is still active at this time. #Magecart #Malware #databreach #CyberSecurity #CyberSecMonth https://t.co/mcyf2QvMgo
— RapidSpike (@RapidSpike) October 28, 2019
Commenting on the news are the following security professionals:
The Sixth June breach is a stark reminder that no matter how much money organisations throw at security awareness training, improving their overall hygiene and strengthening their IT systems, they will suffer data breaches. In an attempt to at least level the playing field, companies need to immediately pay more attention to post-breach detection and mitigation and assume they will be breached and start protecting their data accordingly. A few simple steps include encrypting all data that is deemed sensitive, limiting employee access to networks and reducing large collections of data in widely accessible systems.
Often times, enterprises treat their networks like their homes, which naturally are a lot less secure than your average IT network. In my home, I wouldn’t worry about someone stealing my wallet or valuables and walking out the front door. But I wouldn’t leave the wallet or valuable on a chair at an airport. Overall, our actions change when our perception of our environment changes and our understanding of how much trust we put into it. The same applies to detection- I expect airports to have cameras watching everything and every movement- but not inside my home. So if we think of our network as our protected home, we ignore some basic security that should exist there – such as activity monitoring. The post-breach mindset means that we need to start thinking of enterprise networks less like our home and more like airports.
The Sixth June credit card stealing trojan is a fairly common technique for today’s malicious hackers who concentrate on stealing credit card data. The real question Sixth June needs to be answered is how it got on the web site in the first place? Did the hackers find a direct vulnerability on the website that gave them system access to the web site so they could update the code? Why wasn’t the unauthorised changed noticed and alerted upon? Why was the outgoing connection from the website allowed to another web site? It’s not normal for one web site to post data to another web site? They should have had all sorts of access controls in place to prevent unauthorised changes and to prevent unauthorised traffic. This is not to call out Sixth June’s IT staff or contractors for making these basic mistakes. Unfortunately, most companies have the same issues and lack of controls. It’s why stealing credit card data directly from customers during checkout is so popular in the first place. If it didn’t work so well so frequently, malicious hackers wouldn’t use it. But the bigger question is why all the failures? Again, this is not to be punitive, but to learn, prepare, and fix. It’s so easy to point to a few missing controls and say, “Ah hah! Such and such was missing.” Of course it was missing. But why was it missing? Was someone not following stated policy and if so, how and why did it occur? Was there no policy requiring the missing controls? And so on. Behind every missing security control is usually an entire pathway of weakness that eventually led to the attack. That part has to be figured out so it an all be improved to prevent future attacks of the same type. And I wouldn’t even pick on Sixth June for having this problem. Far more companies are missing the appropriate controls than have them. Sixth June is just the latest one we are finding out about today.
If the skimming script is still active, Sixth June needs to disable the payment page right away until it\’s fixed. Otherwise, they are actively compromising every customers\’ payment details. If you\’re a Sixth June customer, keep a close eye on your credit card statements and dispute any unauthorised activity, no matter how small. Criminals will often charge stolen credit cards small amounts to see if they\’re still valid before selling them to someone who will steal a lot more.
As the history of recent data breaches has shown, all manner of businesses are targets for data theft. If your organization accepts web-based payments, your security team should be on full alert for Magecart skimming attacks. This should put the fashion and retail sector on high alert.
Companies can improve their webpage monitoring, file integrity checking, and blocking of untrusted external sources to defend against this type of sophisticated attack. Additionally, organizations can deploy data-centric security, which can anonymize sensitive data at its earliest point of entry into their enterprise, which is a major step to dramatically reduce risks associated with data breaches and sensitive data exfiltration.