The shopping cart malware known as Magecart is still one of the most popular tools in the attacker’s toolkit — and despite efforts to mitigate and eradicate its presence, it’s the unwanted gift that just keeps on giving.

It was first detected in 2018 when it was behind the notable Ticketmaster UK exploit and is still being used today. The name refers to an open-source shopping cart application called Magento, and is used to steal credit card data, which is then sold in bulk to cybercriminals across the dark web, the shady part of the internet reachable with special software. It works by substituting its own code in place of a legitimate cart software, or by hackers who gain control over disused GitHub projects that is then distributed across the internet to unsuspecting victims.

Magecart is a prime example of how hard it is to maintain cyber vigilance. That’s because the average e-commerce storefront depends on a dozen or more separate pieces of code, including advertising servers, databases, back office systems and, perhaps the weakest link of all, a shopping cart routine that is used to collect money from the customer. It’s no surprise what a tempting treat having access to these online carts can be for cybercriminals, and finding all the various indicators of compromise of these carts isn’t easy.

The groups behind Magecart use what is called bulletproof hosting providers, meaning that their accounts aren’t easily terminated by law enforcement once identified. Plus, these actors work with criminal gangs called skimmers, which collect credit card data from compromised ATMs across the world.

Global reach

That’s what happened most recently, as reported by Sucuri and explored in more depth by Akamai, when its malware infected the WooCommerce WordPress plugin. And they operate worldwide too, thanks to the global reach of internet-based commerce.

Since its early days, Magecart has come back to haunt numerous e-commerce websites, with annual flareups over the past several years. In addition to the WooCommerce attack, this year Magecart was found infecting the Google Tag manager and a series of new attack modes documented by MalwareBytes.

That last item is especially troubling because the malware uses copycat web pages that appear to be legit, including real logos and other techniques to make the malware-laced pages convincing. In this case, the MalwareBytes researchers found a website for a Paris-based travel accessory shop, saying on the blog post, “This is a very well done skimmer that is actually a smoother user experience than the store’s default.” This shows how the criminals are constantly improving their tactics, making them more insidious, more dangerous and harder to detect.

Last year, Magecart infected more than 300 restaurant chains across three different online ordering sites, according to one analysis. The researchers found modifications to the code libraries that would redirect payments to domains controlled by criminals. The malware was present in some of these systems for many months before the modifications were discovered. But then, it is hard to fault the typical restaurant, battered by the pandemic, and trying to implement new and perhaps unfamiliar technology just to stay afloat.

How to attack the attackers

What makes these attacks difficult to find is the fact that the infected web pages are buried deep within subdirectories on the websites, so some security scanners may not discover them and some security analysts might not know where to find them. Worse yet, many site operators may not have run a security scan since the page’s JavaScript code was modified by the criminals. It’s a constant battle, meaning that it doesn’t pay to wait until audit time to do security scans.

Magecart isn’t the only malware that continues to be repurposed and made more lethal, but it shows how its basic code persists across many years, despite efforts to get rid of it. E-commerce sites should take pains to ensure that any third-party code on their web storefronts is frequently scanned for changes, and these changes are tracked by your suppliers. It also may be wise to require that any such code is audited regularly to ensure being malware-free.

Next, this code should be hosted on the company’s own infrastructure: British Airways, another Magecart victim in 2018, for example, found out that its attack was based on a baggage claim server that was hosted externally.

Finally, companies should make sure they apply software updates and patches as soon as possible. Magento users that were compromised by early attackers delayed these updates, which allowed them to be compromised by malware-infected outdated software versions.

Image: Quince Creative/Pixabay