News broke yesterday evening that The American Cancer Society’s online store has become the latest victim of credit card stealing malware. A security researcher found the malware on the organisation’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page. The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.
Magecart attacks are more common than originally estimated. We have now seen attacks across many industries —airlines, e-commerce, fashion and beauty, and retail — irrespective of company size. It is clear these digital skimming attacks that compromise third-party vendor code and harvest personally identifiable information (PII) from unsuspecting users are not going to stop anytime soon.
In this new low for attackers, targeting the American Cancer Society, the attacker injected the malicious code and hid it behind Google tag manager. The only reason this attack was discovered was due to a security researcher scanning sites and also because the code was inserted twice.
To restore user confidence, website owners should take a new approach to client-side attacks and monitor the third-party code execution on their sites in real time, tracking its actual behavior. Relying on traditional forms of web security like Web Application Firewalls (WAFs) would not protect against Magecart attacks that bypass the website owner’s infrastructure.
The attackers had a way to compromise the server and modify its code manually. It is unfortunate that this kind of attack is still succeeding even though a mitigation is quite straightforward. As a last resort, website owners should periodically check the integrity of their script code, which can be as simple as calculating a checksum every few minutes to look for an unexpected change.
As the history of recent data breaches have shown, even non-governmental organizations (NGOs) and similar organizations are targets for data theft. If your organization accepts web-based payments, your security team should be on full alert for Magecart skimming attacks. Companies can improve their webpage monitoring, file integrity checking, and blocking of untrusted external sources to defend against this type of sophisticated attack. Additionally, organizations can deploy data-centric security, which can anonymize sensitive data at its earliest point of entry into their enterprise, which is a major step to dramatically reduce risks associated with data breaches and sensitive data exfiltration.
The sabotage of the American Cancer Society shows that no organisation is immune from challenges of cybersecurity. Every organisation has something of value. Cybersecurity is all about finding the balance between that value and the effort required to steal or attack it. The goal is to make the cost of an attack greater than the value that can be stolen. Cyber-attacks are particularly popular because the risks are low, the level of effort is often low, and rewards are high. The best thing defenders can do is ratchet up the level of effort for an attack to the point where potential attackers turn their attention elsewhere.
The hackers have a machine that is ready to grind up identities, and they will point it at the industries, countries, and organisations that give them the fastest path to the most money with the least cost and risk. Not-for-profit organisations often have the least resources for support functions, like security, and in the old days of hacking were considered inappropriate targets. Once upon a time, hackers didn’t attack “muggles,” to borrow from JK Rowling’s Harry Potter lexicon. Not so anymore with the almighty dollar dominating the dark side. Everyone can have vulnerabilities and weaknesses, but the American Cancer Society breach should be a wake-up call to everyone: if you aren’t improving your security posture and hygiene constantly, it’s a question of when, not if, the great credit card fraud machinery of organised cybercrime comes for you.