I don’t like writing breach stories because they occur far too often. On the other hand, when the breach is the fault of the sales merchant, one hopes exposure would cause a renewed interest in other merchants to better secure their retail websites to assure such data loss doesn’t happen to them.
With the numbers of breaches so large, how easily we forget that back in June, Magecart applied a kind of cross-site-scripting (XSS) attack to effectively digitally skim the credit card information from Ticketmaster buyers used for payment. In defense of Ticketmaster, the actual attack appeared to be a code insertion compromise against Inbenta, a thirdparty supplier for their website. Although obfuscated, and having no impact on the site’s functionality, the subtle change captured and diverted the information to Magecartowned servers with legitimate looking names.
This attack was nothing new to Magecart, who’s been behind such malaise since 2015 and focuses on e-commerce. At the time of the Ticketmaster breach, RiskIQ believed that there were over 800 different commerce websites also targeted based on their analysis. Clearly Magecart continued with attacks as evidenced by the large compromise of British Airways (having lost over 380,000 transactions). One might imagine that other smaller sites are also being targeted based on the announcement that just this week ABC-CBN (who’s on-line store was compromised) may have lost information on 213 customers.
You’d think with such publicity, e-commerce sites, especially those with a large customer base would be watching for similar Magecart activity to assure they don’t fall victim. Or not. Per Threatpost yesterday, “Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site”. Like the attacks on the other e-commerce sites, with an eloquent injection of only 8 lines of code (similar to the code used in the British Airways incident but improved), Magecart diverted information to a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. In the analysis of these attacks, RiskIQ further states: “Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly.”
Who’s to blame for these breaches? Clearly web service providers in the e-commerce arena need to improve their approaches to security. How many sites have been compromised? Perhaps there are some we may never know about, but for many more, my guess is we will learn about them in the near future as e-commerce providers take a closer look at their websites for some unauthorized Magecart additions.
Sources:
https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.computerworlduk.com/security/magecart-who-what-is-behindbritish-airways-attack-3683768/ https://threatpost.com/magecart-strikes-againsiphoning-payment-info-from-newegg/137576/
This article was created by Peraton