Retailers vulnerable as Magecart gangs speed up formjacking for holiday shopping

Magecart gangs will make the most of the shopping season, as all eCommerce websites examined found to compromise web-app protection and endpoint security.

2.5 hours. That’s all it took for Arxan Technologies to detect that 80 global eCommerce retailers had loopholes in their web applications, leaking card data to Magecart groups. 

Research commissioned by the web application security company to examine tactics and techniques used by Magecart to compromise servers showed that all of the eCommerce websites it examined had easily exploitable vulnerabilities. 

"All of the compromised websites use an outdated version of Magento which is vulnerable to formjacking and digital card skimming. None of the websites used appropriate in-app protection capabilities such as code obfuscation and tamper detection," the report said.

According to the report, a focus on ease of use has compromised the web-app protection and endpoint security.

"The push toward a modern website user experience creates a lucrative attack surface inside the web content delivered via browser and mobile. Any interface which takes user input becomes a target for exfiltration," said Aaron Lint, chief scientist and research VP, Arxan. 

"Additionally, the widespread use of third-party components has created a supply chain where an attacker can easily compromise thousands of sites with a mere few lines of code," he added.

The data leak spiked in the last few weeks, owing to the holiday season. The back-to-school rush makes September the third biggest shopping event of the year, according to market research by Mintel.

"Between the holiday season and getting kids ready to go back to school, parents are in a hurry to get their shopping done, which means many will turn to mobile devices to buy books, clothes and school supplies to get their kids equipped. It’s all a matter of what’s most convenient for the buyer," said Robert Capps, vice president and authentication strategist at NuData Security.

"Unfortunately, cyber-criminals will take advantage of that convenience by producing fake websites that look just like the real thing, offering unbelievable deals or using some type of formjacking, like the recent Magecart attacks, to skim credit card information when the sales are made online," he added.

Formjacking is a type of breach, such as the one in British Airways, where Magecart group hackers inject the e-commerce checkout form with malicious code that sends buyers’ credit card information to an offsite server under the hackers’ control, said the Arxan report.

"Formjacking has exploded in popularity over the last two years," said David Warburton, senior threat evangelist at F5 Networks.

According to F5 Labs’ Application Report 2019, more than 70 percent of all analysed web-related data breaches throughout 2018 were caused by formjacking. "In 2019, 83 incidents were attributed to formjacking attacks on web payment forms, impacting a total of 1,396,969 payment cards," it said.

Most of the traps laid by Magecart gangs on eCommerce websites can be averted if the user exercises a little caution, said Capps.

"Slow down and look carefully at the website address you’re visiting. If it is off by a number or letter, search for the brand again - or better yet, use the merchant’s mobile application to shop," he said.

"If a deal looks too good to be true, it probably is. Sometimes, trying to save a few pounds results in a ‘penny wise, pound foolish’ scenario," he said. Using a credit card from a different bank helps mitigate the risk, as it could be immediately blocked if an illegal activity occurs, keeping your bank balance safe. 

Retailers have to adopt a layered approach to security and apply defence-in-depth, as their financial health and reputation is on the line, Capps said.

"Using the latest technology to identify real customers by their online behaviour instead of just card numbers, passwords and security questions. Companies can then block transactions from credit cards that have been stolen without impacting customers," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews