In recent years, the Magecart attack has become increasingly prevalent and has caused significant damage to businesses worldwide. The Magecart attack is a type of digital skimming attack that targets e-commerce websites, particularly those that handle payment card transactions. The goal of Magecart attackers is to steal payment card details of customers, which can be used for fraudulent transactions or sold on the dark web. In this blog post, we'll delve into Magecart attacks and how PCI DSS can help prevent them.
What is a Magecart attack?
Magecart is a term used to describe a group of cybercriminals who use digital skimming attacks to steal payment card information from e-commerce websites. Magecart attacks typically involve injecting malicious code into the website's payment page, which then captures the payment card details of customers when they make a transaction.
The Magecart attack is a sophisticated form of cybercrime that often goes undetected for long periods, allowing the attackers to steal large amounts of payment card data. The stolen data can then be used to make fraudulent purchases or sold on the dark web.
These attacks are typically executed in two stages: the initial compromise and the data exfiltration.
- Initial Compromise:
The initial compromise is usually achieved through a vulnerability in the e-commerce website. Attackers may exploit a vulnerability in the website's content management system (CMS), a third-party plugin, or even a third party JavaScript you run on your site. Once the attacker gains access to the website, they inject malicious code into the website's payment page.
The malicious code is designed to capture payment card details when a customer makes a transaction. The code may also include obfuscation techniques to make it difficult to detect.
- Data Exfiltration:
Once the malicious code has been injected, it captures payment card details such as the card number, CVV, and expiration date. The data is then sent back to the attacker's server, typically using an encrypted channel to avoid detection.
Normal <div> forms that send data directly to the backend or payment gateway are considered high-risk because third-party JavaScript can access the form data and steal credit card information without disrupting the checkout process, potentially going unnoticed for months.
However, IFrames provide a solution to this problem. By isolating payment forms and sensitive content within an iframe, website owners can protect them from malicious scripts injected into other parts of the website.
PCI encourages the use of IFrames and redirect payment integration methods because attackers would have to break the usual form or add an additional card collection form that would raise a red flag for consumers.
How does PCI DSS help prevent Magecart attacks?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to protect payment card data. The PCI DSS standards are mandatory for any organization that handles payment card transactions, including e-commerce websites. Compliance with PCI DSS helps businesses prevent Magecart attacks by ensuring that they have implemented appropriate security measures to protect payment card data.
Some specific PCI DSS requirements that are particularly relevant to preventing Magecart attacks include:
-
Requirement 2.2.2 - Changing Vendor Defaults
Changing vendor default passwords is important for maintaining the security of systems. Many vendors provide default usernames and passwords for their products and services. These defaults are often well-known and easily accessible to attackers, who can use them to gain unauthorized access to systems and data. - Requirement 6.3.3 - Ensuring critical security patches are implemented in a timely fashion. Deploying critical security patches promptly is essential for maintaining the security of systems and data. Cyber attackers are constantly searching for vulnerabilities in software and applications that they can exploit. When a vulnerability is discovered, software vendors typically release a security patch to fix the issue. Delaying the deployment of critical security patches can leave systems vulnerable to attacks and increase the risk of a successful breach. Cyber attackers often scan for unpatched systems, and once they find one, they can use it to gain access.
-
Requirement 6.4.3 - Managing all payment page scripts executed in the consumer’s browser.
Implementing controls such Content Security Policy (CSP) and Subresource Integrity (SRI) can provide a powerful defense for your website.
CSP sets rules that tell your website what content is allowed to be loaded, using a special header that lists the sources of trusted content (like scripts, images, and stylesheets) that are allowed to be run.
SRI uses cryptographic hashes to verify that web resources such as scripts are authentic and unaltered since they were first loaded. If a script has been modified by a bad guy, the SRI check will fail and the bad guy can't steal your customer's data. -
Requirement 11.6.1 - Payment page change detection
Unauthorized changes to payment pages can lead to data theft or malware injection. It is essential that website owners and administrators can detect a change and stop an attack before too much damage is done.
Conclusion
Magecart attacks are a serious threat to e-commerce businesses worldwide. These attacks can result in significant financial losses and damage to a business's reputation. Compliance with PCI DSS is a critical step in preventing Magecart attacks by ensuring that e-commerce websites have implemented appropriate security measures to protect payment card data. Businesses that handle payment card transactions should take PCI DSS compliance seriously and work to implement the necessary security controls to protect their customers' payment card data.