The SolarWinds hack was devastating and used trusted third party software to penetrate its targets. Magecart does exactly the same. Criminals embed their code into script used by merchants. When the merchants update the script they get infected. This article describes the difficulty of detecting and preventing these attacks:
“Magecart attacks are unlike anything that online retailers have faced before. They can inject malicious code into a website without ever touching the website’s server. Instead, they often use a web supply chain attack, injecting the skimmer into a third-party service (e.g., live chat, analytics tool, website plug-in, etc.). Then, the skimmer starts being served by the target website, intercepting the website’s payment form (hence, why it’s also known as “formjacking”) and sending the stolen credit card data to attackers’ drop servers.
I’ve directly interacted with the security teams of several retailers, and one thing is clear: while the vast majority are aware of Magecart, they often turn to approaches like using a content security policy (CSP). In theory, CSP seems like a good candidate: it restricts the scripts that are allowed to load on the website and restricts sending data only to whitelisted domains. However, it can be bypassed.
Research shows that 94 percent of CSPs based on whitelists are bypassable. But even if we ignore that fact, one of the key issues with CSP is that it lacks granularity. If a domain is whitelisted by CSP, any type of data can be sent to that domain, even if it’s credit card data or personally identifiable information (PII). Then, there’s also the problem of maintenance, as making sure that CSP works as intended is a time-consuming manual process, especially given that e-commerce websites are evolving with the frequent addition of new external scripts.
These are just some of the many pitfalls of CSP. Sooner or later, security teams understand it isn’t suitable for addressing Magecart attacks.
Instead, because web skimming attacks are so particular and have so many nuances, they require a dedicated approach. I’ve long advocated that the most effective answer to Magecart attacks is focusing on client-side malicious behavior. A script’s attempts to touch a payment form or send data out to an unvetted domain are clear examples of potentially malicious behavior, and one that’s present in nearly every Magecart attack. If we’re able to detect this malicious behavior in real time and block it, we can block Magecart attacks, whether they’re using known approaches or new ones.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group