The attacks on websites with the purpose of collecting data sent by the user are not new at all. Magento, the open source e-commerce platform, has been the target of such hacks for years.
Compromising websites also used as payment platforms, the collection of credit card numbers and other personal information (PII) on the fly is a surprisingly easy and profitable process.
In a sense, this is the digital equivalent of a credit card, a process for grabbing someone's credit card details on a physical ATM. In the same way criminals can tamper with ATM, so they can also do the payment page of a website.
In recent months there has been a steady increase in such attacks as a result of smaller websites and major companies. This blog post will look at some of the most recent events we have witnessed and will offer some mitigation techniques for a threat that intends to fly under the radar.
Third party compromises
Attackers can compromise a website using many different techniques, often exploiting vulnerabilities or weak passwords. When this is not possible, they often turn to a third-party library that the site relies on, which is perhaps not as secure.
An additional advantage of third-party compromises is the scalability of the attack. By relying on a single provider, you can influence an entire group of websites that depend on it.
The following malicious code was added to a legitimate and trusted script in an obfuscated format. This is the work of Magecart, the name given to a group of threat actors responsible for several high profile attacks recently.
After decoding the script, we can see the code responsible for collecting data when customers hit the checkout button. At the network level, it looks like a POST request where each field (name, address, credit card number, expiration date, CVV, etc.) is sent in Base64 format to the rogue server (info-stat[.]ws) controlled by criminals:
This type of attack occurs transparently both for the trader and for the customer. In contrast to violations involving leaked databases where information can be encrypted, web skimmers are able to collect data in clear and in real time.
British Airways case
Between August and September 2018, British Airways suffered a Magecart attack for 15 days, which was strongly targeted so as not to raise suspicions from site visitors or administrators.
In terms of stolen data, the attackers managed to claim both personal information and payment details. The attack was so complete that Magecart was even able to exchange data from users of mobile apps, due to parts of the site loading within the application itself and the hackers who were expecting to have some pieces of specific code for mobile devices ready and waiting.
The fact of having succeeded in launching such an attack, besides having such internal access to the British Airways site itself, is deeply alarming. Not only are the payment information made available to airlines on a daily basis, but also the passport details, dates of birth and other incredibly personal information. Fortunately, British Airways has confirmed that no travel data have been taken. But in terms of potential relapses, including the inevitable attempts at data loss and blackmail attempts, this attack above all others could be catastrophic.
There is no silver bullet in preventing web skimming attacks, but there are still measures that can be taken to mitigate the risks.
Merchants (server side)
Managing an e-commerce site involves some responsibilities, especially if payment information is managed through it. It is usually safer (and simpler) to outsource the management of financial transactions to larger, more trusted parties. PCI compliance and the risks associated with data collection can be overwhelming, especially for site owners who prefer to focus on the business side of things.
There are too many aspects of website security to include here on how to prevent your site from being hacked, so we will focus on a third-party compromise scenario.
The control of the integrity of third-party resources is an aspect of security that has been overlooked, but can provide great benefits when loading external content. The reality is that a website is usually not able to host all the content itself and makes more sense to rely on CDN and other suppliers for speed and cost reasons.
This relationship does not necessarily mean having to face the problems of third parties. While in this post we focused on credit card thieves, there are a number of other threats that can be spread via third-party libraries. For this reason, the implementation of safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help mitigate many problems.
Consumers (customer side)
One thing to keep in mind as consumers is that we are placing our trust in the online stores we are buying. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones. Of course, with cases like British Airways or Newegg, this advice shows its limits.
Magecart and other web skimmers can be mitigated at the exfiltration level, blocking connections to known domains and IPs used by attackers. However, it is not proof of everything, considering how trivial it is to register new properties. But the reuse of infrastructure is something we still see quite often.
We will continue to monitor these threats and add the relevant compromise indicators (IOCs) to our database to protect our Malwarebytes customers.