There have been a few high-profile breaches in the news lately related to Magecart, including British Airways, Ticketmaster, and Feedify. For those who don’t know, Magecart is a hacker group whose modus operandi involves skimming credit card details with code tailored to the sites they infect (there is, in fact, some discrepancy in the press on whether “Magecart” refers to the group itself, or to the group’s malware).
The general flow of the attack looks like this:
What makes this attack so deadly is how invisible it was. Since the code was injected in production, we can surmise that SAST scans or DAST scans on staging environments would have been too premature to detect it.
So how can you protect yourself against similar attacks?
First, the oldest advice still stands most important. Train your employees regularly on security awareness and put in strong safeguards within the company. If your employees can recognize phishing attempts, then the hacker can’t even get past step one.
Access controls aren’t just to stop malicious employees – they are engaged to mitigate damage in the case of an attack. If an employee in HR is compromised, the production shopping cart code should still be safe, since that employee should not have access to changing that code in the first place. Proper logging and log analysis can also help catch anomalies within the organization.
Another key point to maintaining controls at every point in the software lifecycle is that scanning of internal codebases is just as important as scanning external-facing code. If you think of running DAST scans on your external-facing website as protecting your customers, then think of scanning internal tools as protecting your employees. Even employees who can’t recognize phishing attempts are still savvy enough to not give out credentials to strangers – that’s why step two in most attacks is designed to target a victim inside the company in attempt to get them to click an XSS-loaded link, or to get them to visit a malicious domain (or both.) If your internal codebase is hardened against XSS and other common attacks, this becomes much more difficult for the attacker.
The second part to Magecart’s attack was offloading the stolen data to their “fake” website. The only way to catch this after the fact is to examine suspicious outgoing connections when browsing the website – which is as frustrating and error-prone as it sounds. Some IPS/IDS/secure web gateways are set to do this, some are not.