Magecart, the Credit Card Stealing Monster, Is Alive and Well
In one research report researchers have discovered Magecart attacks affecting 17,000 web domains including some in the Alexa Top 2000. You may remember that Magecart is what took down British Airways and likely caused them to be fined 183 million Pounds by the UK Information Commissioner’s Office.
Magecart is not a single hacker or even a single organization, but rather a technique for injecting Javascript that steals credit card information into otherwise okay web pages. This group looked for unprotected Amazon S3 buckets (really, did people not get the memo – apparently not) to compromise the Javascript code. In this case, many of the pages are not even checkout pages, so they are just spraying to see what they get.
The Javascript code that they are inserting is heavily obfuscated to make it very difficult for anyone to figure out what it does. Most developers looking at code like that will just move on. Source: The Hacker News.
In a separate report, Sanguine Security says that they identified 962 web sites that were infected with Magecart in one day. They described it as the largest automated campaign to date. The previous record was 700 in one day. Source: Info Security Magazine.
Whether there is some overlap in sites between these two research groups is unknown, but what is clear is that attackers are very successfully figuring out how to inject malicious code in otherwise reputable web sites undetected. Two examples of large web sites that have been infected by this technique are Ticketmaster (EU) and British Airways, so it is not just effective on small sites. Most of the sites infected are, in fact, relatively smaller sites.
Bottom line is that all sites need to consider the possibility of their code being infected with malware and take measures to reduce the risk of that happening. This includes things like checksumming files and installing software to detect modification of existing files and the addition of new files.
But this also affects third party code that is integrated into your web site. As we have seen with a number of third party attacks, the attackers hit the weakest point, and if that is third party code that you use, that is fine with them.
by 