Magecart as a Service
One of the biggest threats facing e-commerce sites is Magecart, and associated groups. These threat actors use JavaScript to skim customer card data, which they will either use themselves or sell on for use by other criminal groups. Major organisations have fallen victim to this. British Airways and Ticketmaster were both victims of this back in 2018.
This is bad for customers, but it is also bad for the organisations. Not only do they take a reputational hit, but there are also financial costs. British Airways were fined £183 million by the Information Commissioner's Office (ICO), as their lack of robust security controls was deemed to be a breach of GDPR.
As Magecart becomes more well-known as a steady revenue stream, new services have popped up to help lower the barrier of entry. A group called Inter is selling skimming toolkits for $1000. Given the potential return on this investment, this toolkit is gaining in popularity. RiskIQ believe that over 1500 websites are currently affected by this skimmer.
The toolkit is being improved on a regular basis: as an example, it comes with different obfuscation options and can also create fake payment forms that are designed to mimic forms from legitimate payment processors. This skimmer is designed to work with a range of CMS's, but Magento remains a popular target due to its widespread use in e-commerce.
There are simple steps you can take that can reduce the chance of this code appearing on your website:
1) Ensure that public access to any control panels is heavily restricted. You should use a non-default and hard to guess URL for access, and IP allowlisting should be used to ensure only authorised persons can gain access.
2) Strong passwords should be used for control panel access. This should also be paired with multi-factor authentication.
3) Maintain access logs so that any initial infection can be identified and code quickly removed.
And if your website is affected by this, then contact 3BDataSecurity.com immediately.
" The issue with Magecart-style attacks is the relatively "low bar" to entry set by Inter for cybercriminals seeking to cash in on our cards, RiskIQ says. "
