Web skimming

Web skimming, formjacking or a magecart attack is an attack in which the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.[1][2]

Mitigation

[edit]

Subresource Integrity or a Content Security Policy can be used to protect against formjacking, although this does not protect against supply chain attacks. A web application firewall can also be used.[2][3]

Prevalence

[edit]

A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack.[4] In 2018, British Airways had 380,000 card details stolen via this class of attack.[5] A similar attack affected Ticketmaster the same year, with 40,000 customers affected[6] by maliciously injected code on payment pages.

Magecart

[edit]

Magecart is software used by a range[7] of hacking groups for injecting malicious code into ecommerce sites to steal payment details.[8] As well as targeted attacks such as on Newegg,[9] it's been used in combination with commodity Magento extension attacks.[10] The 'Shopper Approved' ecommerce toolkit utilised on hundreds of ecommerce sites was also compromised by Magecart[11] as was the conspiracy site InfoWars.[12]

According to Malwarebytes, the Magecart software has tried to avoid detection by using the WebGL API to check whether a software renderer such as "swiftshader", "llvmpipe" or "virtualbox" is used. That would indicate that the software is running in a virtual machine probably used to detect the malware rather than make a purchase.[13]

In October 2023 a Magecraft version was reported to be inserted into all the 404 error pages of infected Web sites. The default '404 Not Found' page is used to hide and load the card-stealing code. The site visitor enters sensitive details into, for example, an order form, then sees a fake "session timeout" error, while the information is sent to the attacker.[14]

References

[edit]
  1. ^ Reddy, Niranjan (2019). Practical Cyber Forensics : an Incident-Based Approach to Forensic Investigations. Berkeley, CA. ISBN 978-1-4842-4460-9. OCLC 1110377452.{{cite book}}: CS1 maint: location missing publisher (link)
  2. ^ a b "You Need to Protect Your Website Against Formjacking Right Now". PCMag. Retrieved 2021-05-20.
  3. ^ Wueest, Candid. "Internet Security Threat Report - Formjacking: How Malicious JavaScript Code is Stealing User Data from Thousands of Websites Each Month". Symantec.
  4. ^ Ismail, Nick (13 October 2016). "Stowaways: malicious skimming code hiding in almost 6,000 online shops". Retrieved 9 December 2018.
  5. ^ Whittaker, Zack (11 September 2018). "British Airways breach caused by credit card skimming malware, researchers say". Retrieved 9 December 2018.
  6. ^ Priday, Richard (28 June 2018). "The Ticketmaster hack is a perfect storm of bad IT and bad comms". Retrieved 9 December 2018.
  7. ^ Whittaker, Zack (13 November 2018). "Meet the Magecart hackers, a persistent credit card skimmer group of groups you've never heard of". Retrieved 9 December 2018.
  8. ^ Muncaster, Phil (1 October 2018). "Magecart: Time to Focus on Web Security to Mitigate Digital Skimming Risk". Archived from the original on 10 December 2018. Retrieved 9 December 2018.
  9. ^ Osborne, Charlie (19 September 2018). "Magecart claims another victim in Newegg merchant data theft". Retrieved 9 December 2018.
  10. ^ Cimpanu, Catalin (23 October 2018). "Magecart group leverages zero-days in 20 Magento extensions". Retrieved 9 December 2018.
  11. ^ Leyden, John (9 October 2018). "Payment-card-skimming Magecart strikes again: Zero out of five for infecting e-retail sites". Retrieved 9 December 2018.
  12. ^ Blake, Andrew (14 November 2018). "Alex Jones' Infowars store infected with malware capable of skimming payment data". Retrieved 9 December 2018.
  13. ^ Montalbano, Elizabeth (4 November 2021). "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar". Threatpost.
  14. ^ Toulas, Bill (9 October 2023). "Hackers modify online stores' 404 pages to steal credit cards". BleepingComputer.