Web skimming
Web skimming, formjacking or a magecart attack is an attack where the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.[1][2]
Mitigation
Subresource Integrity or a Content Security Policy can be used to protect against formjacking, although this does not protect against supply chain attacks. A web application firewall can also be used.[2][3]
Prevalence
A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack.[4] In 2018, British Airways had 380,000 card details stolen in via this class of attack.[5] A similar attack affected Ticketmaster the same year with 40,000 customers affected[6] by maliciously injected code on payment pages.
Magecart
Magecart is software used by a range[7] of hacking groups for injecting malicious code into ecommerce sites to steal payment details.[8] As well as targeted attacks such as on Newegg,[9] it's been used in combination with commodity Magento extension attacks.[10] The 'Shopper Approved' ecommerce toolkit utilised on hundreds of ecommerce sites was also compromised by Magecart[11] as was the conspiracy site InfoWars.[12]
According to Malwarebytes, the Magecart software has tried to avoid detection by using the WebGL API to check whether a software renderer such as "swiftshader", "llvmpipe" or "virtualbox" is used. That would indicate that the software is running in a virtual machine and that the user is not a real world victim.[13]
References
- Reddy, Niranjan (2019). Practical Cyber Forensics : an Incident-Based Approach to Forensic Investigations. Berkeley, CA. ISBN 978-1-4842-4460-9. OCLC 1110377452.
{{cite book}}
: CS1 maint: location missing publisher (link) - "You Need to Protect Your Website Against Formjacking Right Now". PCMag. Retrieved 2021-05-20.
- Wueest, Candid. "Internet Security Threat Report - Formjacking: How Malicious JavaScript Code is Stealing User Data from Thousands of Websites Each Month". Symantec.
- Ismail, Nick (13 October 2016). "Stowaways: malicious skimming code hiding in almost 6,000 online shops". Retrieved 9 December 2018.
- Whittaker, Zack (11 September 2018). "British Airways breach caused by credit card skimming malware, researchers say". Retrieved 9 December 2018.
- Priday, Richard (28 June 2018). "The Ticketmaster hack is a perfect storm of bad IT and bad comms". Retrieved 9 December 2018.
- Whittaker, Zack (13 November 2018). "Meet the Magecart hackers, a persistent credit card skimmer group of groups you've never heard of". Retrieved 9 December 2018.
- Muncaster, Phil (1 October 2018). "Magecart: Time to Focus on Web Security to Mitigate Digital Skimming Risk". Archived from the original on 10 December 2018. Retrieved 9 December 2018.
- Osborne, Charlie (19 September 2018). "Magecart claims another victim in Newegg merchant data theft". Retrieved 9 December 2018.
- Cimpanu, Catalin (23 October 2018). "Magecart group leverages zero-days in 20 Magento extensions". Retrieved 9 December 2018.
- Leyden, John (9 October 2018). "Payment-card-skimming Magecart strikes again: Zero out of five for infecting e-retail sites". Retrieved 9 December 2018.
- Blake, Andrew (14 November 2018). "Alex Jones' Infowars store infected with malware capable of skimming payment data". Retrieved 9 December 2018.
- "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar". Threatpost. Retrieved 2022-04-03.