In a blog post today, researchers published the dates for nearly 40 new shopping websites infected by Magecart 12 with JavaScript. All were notified of the compromise, yet 13 continued to load the malicious JavaScript.
Credit Card Skimmer Running on 13 Sites, Despite Notification: The tally of shopping websites infected by… https://t.co/haQGgKzRHn #infosec
— IT Security News – www.itsecuritynews.info (@IT_securitynews) February 25, 2020
Magecart continues to be a successful Javascript based malware that steals customer payment information.
Magecart is uploaded to your website only after it has been compromised via some other means, like a XSS (Cross-Site Scripting) vulnerability or an RCE (Remote Code Execution) exploit.
With that in mind, If you own a business that handles customer credit cards or payment information there are several things you can do to detect and prevent Magecart from affecting you.
The most clear and obvious is ensuring your operating system and web framework’s used by your public facing website are fully patched. This will help prevent common exploits that may be affecting versions used by your website. Secondly, it’s important to adjust your web application’s Content Security Policy (CSP) to allow scripts running on it to be from your specific whitelisted domains. Thirdly, I recommend deploying a File Integrity Monitoring (FIM) solution to your website’s directory containing the scripts used for the checkout or payment handling process. FIM solutions are great for monitoring when files have been tampered with or added to your website, and in this case it won’t prevent you from being compromised but it will let you know if Magecart has been installed.
Businesses often leverage third-party platforms and services to take their brands online. When a Magecart infection is discovered, they can lack the processes or resources to engage their third-party vendors to patch their e-commerce stores and mitigate their risk of a data breach. PerimeterX research shows that Magecart attacks often remain active on websites for weeks or even months, compromising hundreds of thousands of credit card numbers in the process.
Magecart activity is approaching fever pitch as attack techniques and tools are widely shared amongst hackers. PerimeterX researchers continue to uncover new Magecart infections, and multiple simultaneous infections in some cases. Despite proactive notifications to the site administrators, we see the infections continue to persist for months.
While it helps to stay current with security patches and software updates, businesses need to invest in client-side visibility solutions that will proactively alert them about Magecart attacks, and drastically shorten the mean time to mitigation.