eCommerce Sites Hacked by Their Ads
The Magecart malware has stolen credit card information from such high profile web sites as British Airways, Ticketmaster and Newegg.
The malware works by inserting a little bit of code – usually Javascript – into the page(s) of a web site that collects credit card information. When a customer visits that page the malware collects the credit card data, usually encrypts it and then sends it on to the attacker.
Sometimes the hackers break into the target website and insert the code but other times they compromise software libraries that web site developers use.
Now there is a new version of the Magecart malware.
Instead of infecting the website, this version infects the advertisements that run on those websites.
The ads get inserted when the web page is delivered and the malware is unleashed. The credit cards are stolen in the same manner as the other attacks.
The reason that this is attractive to hackers is that if you can infect the advertising software you will be able to attack hundreds, thousands or even more web sites at once. To a hacker, that is nirvana.
What is depressing to the merchant is that the attack is not under their control because they don’t have any visibility into the ads that are shown on their websites. For more details on how the attack works, visit the link at the end of this post.
So what is a merchant to do?
There are some things that you can do.
If you run a web server, most data transfers should be as a result of responding to an inbound request from a potential customer.
When the hacker sends the credit card data to its collection machine, it is initiating an outbound session that isn’t based on a customer request. Those should be blocked or at least scrutinized.
Also you can look at the metrics of how much data you send in response to a customer request. If the hacker is moving data in large blocks, that might be a tip off.
The hackers could send the data to a server in the US or at Amazon, but they also might send the data to a server offshore. Unless your business is international, you should block those off shore connections and if your off shore business is limited – say to Europe – then block connections to Africa and Asia.
Finally, check your code and query the ad networks that you use. Everyone should be sensitive to the issue and if you don’t get an answer that you like, there are other ad networks.
Information for this post came from Bleeping Computer.