Insights | Integrity360

British Airways and Newegg among latest victims of Magecart attacks

Written by The Integrity360 Team | 04 October 2018 13:22:00 Z

Physical credit card skimmers have been a fan favourite of criminals over the past decade. Now, hackers have developed their own digital version of the tool and are deploying it within the online checkout process.

British Airways and Newegg are the latest businesses to fall victim to the Magecart group’s attacks. The companies join a long list of e-commerce operators like Ticketmaster who have seen customer payment information end up in the wrong hands since the group first emerged in 2015.

This won’t be the last time we hear of the group – over 800 breaches have been attributed to them within the last three years – and by studying successful attacks, businesses can learn how to protect their customers’ data.

What happened in the British Airways data breach

On September 6th, 2018, British Airways notified its customers that roughly 500,000 people had their payment information exposed between August 21st and September 5th.

The attack specifically targeted the checkout process. Anyone who made a payment on its website or mobile app between the aforementioned dates were unknowingly feeding that data to a separate server operated by the Magecart group.

The campaign relied on attackers leveraging established vulnerabilities to gain write access to payment processing servers, FortiGuard Labs reported. After, they registered a new domain complete with an SSL certificate that could be passed off as a part of British Airways to the untrained eye and wouldn’t raise any alarms from cyber security scanning tools.

Magecart group then injected a malicious script through Cross-Site Scripting (XSS) that collected form field information immediately after users clicked or pressed the ‘submit’ button. Hackers buried the 22 lines of JavaScript code in an HTTP response header, allowing them to skim payment card information and send a copy of the incoming data to the newly registered domain, RiskIQ researchers found.

What happened in the Newegg data breach

On September 19th, 2018, Newegg, an electronics e-commerce retailer, notified its customers that the business had suffered a data breach. Users who had made a purchase between August 14th and September 18th are likely to have been affected, though the final number has not yet been published.

The attack was carried out in a similar fashion to the campaign which targeted British Airways. Magecart used a known vulnerability to gain write access on Newegg’s server which handled its payment process.

The group then injected 15 lines of malicious JavaScript code into an HTTP response header, which would gather customer payment information and send a copy of it to a newly registered domain that was similar to Newegg’s and had an SSL certificate, RiskIQ researchers reported.

Why Magecart attacks are difficult to stop

Hackers searching for payment card information normally target where it’s stored: enterprise databases. Given the size of the companies that Magecart has infiltrated over the past few months, it’s likely that this data is safeguarded behind a robust suite of cyber security tools.

Instead of launching a large-scale assault, Magecart is opting to grab information at the targets’ original point of contact with customers. The group operates in one of two ways: Hacking third-party vendors – Magento and Inbenta, to name two – to launch an attack from the e-commerce supply chain, or exploiting known server-side vulnerabilities.

Both methods allow them to skim customer payment information and gather key data that otherwise may not be accessible through a traditional database breach, like consumers’ three-digit Card Verification Value (CVV) numbers.

These campaigns, more so than others, are specifically designed to avoid detection. Enterprises have a difficult time gaining visibility into aspects of their e-commerce sales that are governed by third-party vendors, like forms for users. If a service is compromised, it could take a long time for them to find out.

Furthermore, the new domains that are explicitly created for the attacks mirror the targets’ websites by name, which increases the chances that data flow won’t be stopped due to the automatic discovery of abnormal behaviour. Also, the legitimate webpages are compromised by a small amount of code that is going under the radar of most companies.

How to protect your business from Magecart attacks

The Magecart group preys on businesses with disorganised cyber security strategies. Without an established framework in place, defences will be scattered and there will be a lack of regularly scheduled maintenance to shore up emerging vulnerabilities.

In light of the recent British Airways and Newegg attacks, it’s recommended that companies fine-tune their Content Security Policy (CSP). The HTTP header standard enhances organisations’ protection against XSS by allowing them to create a whitelist of acceptable scripts that can be injected into a page.

Security teams should continuously monitor and assess their outbound network traffic for abnormal behaviour. There are a couple of tools that can be used to accomplish this, like Intrusion Detection Systems (IDS), firewalls and Security Information and Event Management (SIEM) platforms. Leveraging artificial intelligence capabilities can severely reduce the drain on resources that this time-intensive task can take and reduce false-positive alerts.

Apart from those two solutions, refining the company’s risk management framework in respect to its relationships with third-party vendors can help reduce unnecessary exposure. Thoroughly vet these businesses before welcoming them into the e-commerce supply chain to ensure their cyber security strategies are up to par and follow industry best practices. If a third-party vendor exploit leads to a data breach, the company that holds the customer data is held liable under GDPR.

Talk to an Integrity360 advisor today to learn more about how your enterprise can protect its digital environment from attackers.

Contact Integrity360 today and visit our penetration testing services page to learn more