This article has been authored by Gurrashmeet Singh, a law student at Dr. B.R. Ambedkar National Law University, Sonipat, Haryana. This article provides you with insight into the growing data skimming attacks of Magecart. 

Introduction

With the evolution of the internet and everything being just one click away, online skimmers have also evolved with it. They try to find new and new gigs to manipulate innocent consumers and try to steal their sensitive information. They try to insert viruses, bugs, and other malware which infect the processing line of the big companies and make it difficult for them as well as the consumer to contract with one another. Cybercrime and Magecart assaults are increasing in tandem with the growth of online commerce. Magecart, a loosely coordinated collection of cybercriminals, compromised more than 12 third-party software manufacturers between 2017 and 2018, resulting in supply chain assaults.

Digital skimming is the new normal for today’s e-commerce businesses. This sort of attack nets hackers a lot of money with very little work. In one scenario, a single line of JavaScript was used to load a malicious script that was used to carry out a card skimming attack on thousands of websites. The bulk of digital skimming attacks are directed at third-party content management systems and online shopping cart platforms. Companies rely on them to improve the efficiency and usability of their e-commerce platforms. However, digital skimmers are constantly targeting these third-party programs in order to exploit their security flaws. Since 2015, the Magecart actors have been active and have never shied away from their chosen criminal activities. Instead, they’ve been refining their techniques and goals to get the most out of their work. They’ve refined their methods over time, resulting in successful breaches of third-party companies including Inbenta, SociaPlus, PushAssist, Annex Cloud, and others. 

What is Magecart

Magecart is the form of online data skimming that steals the data and information from the payment cards, they usually target the shopping apps and attack the client-side browser as the front-door for consumer interactions. It is not an organization or association of hackers, rather is a categorical name given to the certain type of data skimming that attacks the online payment transactional information of the customers. There are a plethora of groups or individuals, who tend to use this kind of style to get into the system of high-profile companies and compromise with their payment forms.

In general, Skimming is the method of stealing and thieving sensitive information, which comprises email addresses, credit card numbers, passwords, PINs, and other online payment forms. Talking specifically about the syndicate of Magecart, the skimmers embed a wicked code into the website to steal the credit card and payment information. These hackers try to eavesdrop on these transactions and steal the data from the rightful owners of the information. These e-commerce websites are ready to go hi-jack for the hackers because all these websites use online payment options and don’t properly vet the codes into the website and use third-party pieces, when consumers tend to fill the credit card credentials, they steadily steal the data. The core idea behind these attacks is to compromise third-party software from the VAR or systems integrators or affect the processing of the industry.

How does Magecart work

These types of data skimming work step by step. Magecart operates as the collaborator with the website and gains access to the website, and then skim the data to their own servers. They embed the code or bug and can send the information to wherever they want to.

Gaining the access to the website

To gain access to the website, there are mainly two ways by which these hackers can get direct access to the inside of the software. The hackers can either directly break into the setup codes or server and implant their codes and bugs inside the original and ethical coding of the software used by the online retailers. The other way is to collaborate with one of the third-party vendors that work with the online retailers to better and smoothen the functioning of the website, as they are also the easy targets and will infect the third-party tag that will run a malicious code on your website when called in the browser.

Skimming the information from the credentials

There are numerous ways by which these skimmers can steal your data, but the most common way to steal and imprison the data is through embedding the malicious code into the JavaScript that garners your personal information and credentials. The attackers do it by a certain approach where they monitor every keypress on the sensitive pages or some that intercept into some specific parts of the webforms like the credit, debit cards, PINs, and CVV credentials. They innuendo the code inside some other code that looks naïve to avoid the detection.

Transferring the information back to their servers

After they have implanted the code or bug, there is no way to stop them. Once they gain access to the website and insert the malicious code, they can send the data and credentials to wherever they want in the world. They end sending the sensitive information from the end-user browser to almost any location or place on the internet to any server in the world.

Evolution of Magecart

Over the past few years, the Magecart attacks are expanding their roots to the whole internet. They are becoming more and more common and hackers have evolved with them. In the initial years, when the Magecart came into existence, it was far easier to detect the Magecart attack than it is now. Now, these skimmers are used to embed and modify the malicious and unethical codes in a hideous way within the naïve codes that seem not at all obnoxious and that makes it nearly impossible to detect the threats looking at just a third-party code. Now, they get access to the main servers of the companies and implant the bugs or codes by changing the whole Javascript of the website and then try to transfer the whole data to their own servers.

• Usage of Ad Servers

The skimmers use the ad servers to get into your computer. They tend to use an infected advertising banner, and the ad servers will place the Magecart code into a web server. When the user clicks on that ad in the browser, the code gets embedded into your computer. These malware codes can also be hosted by an already compromised server.

• Usage of targeted and elaborate attacks

This demonstrates a shift away from widely disseminating malware in favor of spending time with potential victims to examine their coding and infrastructure. This is exactly what occurred to British Airways when hackers exploited the logic flow of its internal systems. Magecart was able to access information that was not even stored on British Airways’ servers.

Prominent Magecart attacks

Ticketmaster

The first notable magecart payment stealing theft was reported, when the Ticketmaster, a ticket sales, and distribution company, made the news official on June 27. 2018 that the information of the consumers had been compromised. It was not just a minuscule breach but a huge hacking scandal involving 800 e-commerce websites. The Magecart skimmers, illegitimately, entered the server of these e-commerce websites and stole the payment information of the consumers. The hackers were able to execute the theft by the method of hacking the third-party pieces shared by many of the most used e-commerce websites. The hackers did not directly break into the servers of Ticketmaster, but rather through the third-party vendor of the site, Inbenta. But the vendor, Inbenta has eluded stating directly that they were compromised.

British Airways

On September 6, 2018, British Airways announced that their website and mobile app has been compromised and a massive amount of payment information of the customers has been stolen by the hackers. They were able to take the control of both the website and mobile app and transfer the information to their own server. Approximately, 380,000 people got affected by the surge and their information got breached. But fortunately, the hackers were only able to get access to payment credentials only and were not able to steal the passport information of the customers. Payments were affected from August 21, 2018 to September 5, 2018 from both the website and Mobile app. Magecart inserted the malicious script into the payment forms of the British airways from where they were able to skim all the data to their own servers and take the advantage of the payment information of the consumers.

British Airways (BA) has now opted for the option of out-of-court settlement with the victims of a data breach that exposed over 420,000 customers’ personal information. The airline has agreed to pay an undisclosed sum to thousands of claims as part of a settlement with PGMBM, the court-appointed law firm representing victims. There is no acknowledgment of culpability on the side of the operator in the resolution.

Amazon S3 Buckets

This Magecart attack occurred in July 2019. The skimmers behind the breach automated the process of breaching sites by directly scanning for misconfigured Amazon S3 buckets, managing to break into the large database of S3 buckets to impact over 17,000 domains of e-commerce retailers. This list included websites in the top rankings websites of the Alexa ranking index.

Filters fast 

As a consequence of a breach that lasted between July 2019 and July 2020, when the problem was ultimately found, Filters Fast joined the expanding list of online businesses that have been hit by a Magecart-style credit card skimmer assault. After 324,000 US persons were harmed by the hack, the Attorney General of New York (NYAG) filed a lawsuit.

Now, Filters Fast agreed to pay $200,000 to settle a data breach inquiry originating from a cyber-attack in 2019 that exposed the credit card information of an estimated 320,000 customers. The US air and water filtration company agreed to pay the fine to the New York Attorney General’s Office and to establish a robust information security programme to prevent future breaches. The first half of the $200,000 payment will be forfeited, with the remaining suspended.

Warner Music Company

Warner Music Group (WMG) has also been the victim of a three-month Magecart cyberattack that exposed its customers’ personal and financial information. Between April 25 and August 5,2020 the hack, which targeted US-based e-commerce services hosted by third parties, took place. Although the firm recognised the compromise, it did not specify how many consumers were affected.

To resolve the problem, the business said it has begun a forensic investigation with cybersecurity specialists and law enforcement officials. It also warned credit card companies that transactions using credit cards impacted by the Magecart attack would be subject to enhanced security procedures.Individuals affected by the attack were also provided a free year of Kroll identity monitoring from the recording studio company.The music label, on the other hand, refused to disclose a list of websites that were hacked by Magecart or the number of clients who were affected by the incident. Similarly, WMG did not say which external service provider was affected or whether it had contacted the consumers who were affected. Many people who were impacted may not be aware that their payment information has been compromised.

How to prevent Magecart attacks

The greatest protection against Magecart is to prevent access to third-party vendors. Online businesses require a solution that can intercept all APT calls made by the website to the browser and prevent access to sensitive data that has not been previously approved. As a result, we can prohibit non-critical third-party scripts or harmful scripts from accessing important client information. When an attacker tries to get access to sensitive data, this system will detect it and notify the organizations or companies.

Attacks against websites that collect and handle payment information from end-users are on the rise. Not only are we seeing attacks like these that steal data directly from end-users, but we’re also seeing sophisticated bot attacks that exploit stolen user passwords and credit card details to perpetrate fraud using data from other sites.

Brands must go beyond the edge and implement end-to-end online security protection that can neutralize Magecart assaults in the browser, secure backend infrastructure, and prevent sophisticated botnet attacks.

Many customers place their faith in the online businesses and websites where they purchase. Smaller websites are best avoided since they are unlikely to have the same level of protection as larger, more established companies. End users should maintain track of any changes made to their credit cards. Before more widespread fraud, minor test transactions are frequently done to confirm that a credit card number is still active. End users should also think about utilizing payment methods like Apple Pay, which creates unique numbers for each transaction, guaranteeing that if an attacker gets a number, they won’t be able to use it again. Finally, credit monitoring tools have become a must-have in recent years to guarantee that personal information is not used to register new accounts in your name.

Magecart skimming and other data robbery is punishable according to their own law of the land. In India, the Information Technology Act, 2000 deals with these kinds of theft. For unlawful access to a computer system or network and providing aid to support such a criminal act, Section 43 of the Act might be invoked to impose civil liability of up to one crore in compensation. Section 66 of the Act applies to cybercrime, such as Magecart hackings, in which the destruction, deletion, change, or reduction in the value of a computer resource resulted in criminal penalties. In relation to Section 43 of the same Act, Section 66 makes any false or dishonest activity illegal. Similar to this Act is the Computer Misuse Act, 1990 that criminalises these types of theft in the country of the United Kingdom. It also deals with the unauthorized access to computer materials, access with the aim to conduct or assist in the commission of illegal offences and alteration of the data in the computer.

Unveiling the attackers

Over the last three years or so, Magecart has been a plague of internet security, with several threat organisations employing it to break into e-commerce websites and steal payment card information. The arrest was made by the local police as part of INTERPOL‘s Investigation called Night Fury, an intelligence-led operation centred on Southeast Asia. C2 servers and hijacked websites were discovered in six nations throughout the region of Association of Southeast Asian Nations (ASEAN).

The Indonesian suspects, aged 23, 37, and 35, were detained in December 2020 and were charged with data theft. Authorities in Singapore have discovered and shut down two Magecart-linked C2 servers as part of an ongoing investigation into cybercrime infrastructure and other suspected cybercriminalsWhile the arrests in Indonesia are great, they will scarcely make a dent in the rampant corruption. “In recent years, this organisation has had a significant influence on worldwide e-commerce security, skimming at least 571 compromised shops.” According to payment security firm Sanguine Security, “they were responsible for just 1% of all Magecart instances since 2017,” estimating that 40 to 50 additional competent cybercriminals are participating in web-skimming activities.

Conclusion

Magecart built up specialized, tailored infrastructure to blend in with the e-commerce website especially and evade discovery for as long as possible, as we’ve seen in this assault. While we’ll never know how much access the attackers had to the servers, the fact that they were able to change a resource for the attacked site suggests they had a lot of it, and the fact that they probably had it long before the attacks even began serving as a stark reminder of the vulnerability of web-facing assets. In order to escape discovery, attackers would bury harmful code within legitimate code.

In certain circumstances, merchants and consumers may be ignorant of the virus or data breach for days or even months. Businesses’ lack of insight into their web-facing attack surface is part of what makes supply chain hacks so easily. They often have no notion that the third-party code on their online assets is dangerous—or that they’re even executing it. Credit card skimming organizations like Magecart itself, are becoming more efficient, so consumers are seeing their data stolen in less time than ever before. Consumers don’t care if this happens as a result of a traditional breach or a web-based supply chain assault in the end. The reputation of companies that manage online payment forms, as well as the trust of online customers, is on the line. 

References

• https://www.zscaler.com/blogs/security-research/magecart-attacks-2021
• https://www.javatpoint.com/magecart-attack
• https://www.csoonline.com/article/3400381/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html 
• https://www.techrepublic.com/article/magecart-attack-what-it-is-how-it-works-and-how-to-prevent-it/
• https://www.riskiq.com/what-is-magecart/
• https://www.riskiq.com/blog/labs/magecart-british-airways-breach/
• https://www.riskiq.com/blog/labs/cloudcms-picreel-magecart/
• https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/
• https://www.zdnet.com/article/ticketmaster-breach-was-part-of-a-larger-credit-card-skimming-effort-analysis-shows/
• https://portswigger.net/daily-swig/us-water-filter-supplier-pays-200-000-to-settle-credit-card-data-leak-lawsuit
• https://portswigger.net/daily-swig/british-airways-agrees-to-pay-victims-of-record-breaking-data-breach
• https://portswigger.net/daily-swig/police-arrest-three-magecart-cybercrime-suspects-in-indonesia
• https://www.cpomagazine.com/cyber-security/hackers-accessed-personal-and-credit-card-information-in-warner-music-group-magecart-attack/

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.