Magecart Attacks

What are Magecart attacks?

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores.

These attacks are accomplished by:

1. gaining access to the targeted website (either directly or through a supply chain attack),
2. injecting malicious JavaScript code into the checkout page to skim the desired data, and
3. sending the information back to a threat actor-controlled server.

Magecart attacks are conducted by many threat actors and are not specific to one group. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sold in dark web or other marketplaces.

Recommendations

To protect websites against Magecart attacks, website administrators are recommended to, by default, block access to sensitive information entered into web forms and stored cookies. Only vetted scripts developed in-house should have access to sensitive data.

Online customers are encouraged to use credit cards over debit cards when shopping online as they often have better consumer fraud protections. Additionally, many financial institutions offer payment charge notifications for every transaction that occurs on an account. Enabling these notifications may make it more likely that a customer will notice a fraudulent transaction as soon as it occurs and can notify their bank. If a customer discovers fraudulent activity on their account, lock the affected card if this option is available, notify the banking institution immediately, and request a new payment card.

Recent Magecart Activity

December 2020: New E-Commerce Skimmer Impersonates PayPal Form

August 2020: New Skimming Campaign Uses Homoglyph Techniques

July 2020: Recent Magecart Attacks Linked to North Korean APT