Defending your webshop from Magecart

Defending your webshop from Magecart

What?: Magecart (a collection of cybercrime groups) have leveraged vulnerabilities on the Magento platform to collectively compromised over 7000 webshops worldwide. RiskIQ

The risk to you: If you are using Magento, there’s the possibility that you could become compromised. This could lead to a loss of revenue, and more importantly, the chance that you will need to inform your customers that their Credit Card data or Personally Identifiable Information (PII) have been stolen.

Now what?: You can significantly reduce the chances of this happening by patching your webshop and hardening your infrastructure. Your administrators (either your own or those of a 3rd party) can follow the steps outlined below to reduce the risk to your webshop.

We want to preface this post by stating that the vulnerability and resulting exploit methods do not mean that Klarna is any less secure or convenient as a payment service provider; on the contrary. Klarna is committed to assisting all merchant partners in creating a safe and more secure online shopping environment.

As such, we have combined our cyber threat intelligence efforts with what we have learned from security researchers to help you understand the attack as well as the measures you can take to secure your webshop and reduce the risk of becoming compromised.

A brief overview of how Magecart operates:

  1. (Preparation) The criminals register one or more fake domain(s) to collect Credit Card information before it is forwarded to an illegitimate destination where the criminals extract the Credit Card information.
  2. (Preparation) The criminals identify their target and use an existing Magento exploit or some other way to gain administrative privileges on the e-commerce platform.
  3. (Initiation) The criminals log in to the merchant’s web server and add malicious code which hides the legitimate checkout iFrame until the skimmer has done its job.
  4. (Protection) The criminals protect “their” infection (which now represents a monetary investment) by making the script hide itself from detection by checking for counter measures such as debugger(s) and/or requester IP address before loading.
  5. (Action) When the right conditions are met, the malicious script loads an externally hosted skimmer - an iFrame which looks similar to real the real checkout, but will steal the data (typically Credit Card number, expiration date and CVV code) entered.
  6. (Collection) The payment card information is encoded and/or obfuscated before being sent to the domain registered (step 1) by the criminals.
  7. (Monetization) The payment card information is deduplicated, validated and sold on the dark web .

For a more in-depth explanation of how the attack works, we recommend that you read the article written by Jerome Segura , Director of Threat Intelligence at Malwarebytes Labs.

Depending on where in the attacker’s process you find yourself, there are a number of important steps you should take to reduce the risk that your web shop becomes compromised and that your customers have their credit card information stolen.

In order to prevent your customers from becoming victims, you need to:

  1. Patch - The vast majority of these attacks use old vulnerabilities as attackers know that updating software is a laborious process. Because of this, it pays off to regularly visit (or subscribe) the Magento Security Center (SC ) to check for security updates.
  2. Harden - Consider implementing a Content Security Policy (CSP ) (as suggested by Rapid7 ) to mitigate XSS, sniffing and injection attacks.
  3. Harden - Consider adding Two Factor Authentication (2FA ) to the admin control panel and shutting down access from the outside world (non-office IP addresses) at the firewall level.

To monitor if your initial defenses are holding up to the test, you should always:

  1. Log - Take the time and spend the resources to set up proper logging related to web server mutations and (administrative) access. The instructions on how to setup logging in Magento can be found on the Magento website.
  2. Monitor - Watch for, block and alert on Indicators of Compromise (IOC s) related to this type of attack published by cyber threat intelligence analysts (RiskIQ ).
  3. Be vigilant - Your customers might inform you that they are experiencing “something weird” in relation to your e-commerce platform. This might come in the form of (but is not limited to) payment card details not being pre-filled if they normally are, needing to enter payment card details twice, or other things your developers can’t explain such as the language of “checkout” being off.

If you realize that your defenses have failed, you should:

  1. Contain - As long as the infected web server is processing transactions, the number of customers who have their payment card information stolen will continue to rise. Depending on your situation, this could mean putting your server in maintenance mode or turning off your webshop’s checkout feature.
  2. Identify - The common denominator of this type of attack is that the webserver has been altered, therefore, it is important to go through the logs and identify the point in time when content was added and/or adjusted by an illegitimate actor.
  3. Restart - It is hard to determine where on your systems an attacker has gained persistence (Mitre ), so it is important to clean the environment as thoroughly as possible. Before the server can be exposed to the public, it should be cleaned (reinstalled where possible), patched and hardened.

Last but not least, if your webshop has been compromised, it is important to communicate. As a merchant, you have responsibility towards your customers and payment card providers. You should take appropriate actions to inform your customers that their payment card data may have been stolen.

If you act in accordance with industry best practises and do your due diligence, any situation that arises in regards to GDPR , PCI and public opinion should not be an issue.