The PCI Security Standards Council and the Retail & Hospitality ISAC issued a joint bulletin to highlight an emerging threat that requires urgent awareness and attention. The full bulletin can be viewed here.
What is the threat?
A term sometimes used in the press for this threat is Magecart. Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.
How do these attacks work?
These threat actors use various methods, which include exploiting vulnerable plugins, brute force login attempts (credential stuffing), phishing and other social engineering techniques, all in an attempt to gain access and inject malicious code. These attacks are either directly into e-commerce websites or often into a third-party’s software libraries that merchants rely upon. These service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.
The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.
Who is most at risk?
Any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. Attacks target e-commerce websites, third-party service providers, and companies providing applications used on websites. Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets, and exploiting vulnerabilities in unpatched website software.
Additionally, the threat is persistent. One in five Magecart-infected stores are re-infected within days, according to a report by security researcher Willem de Groot1. For that reason, it is crucial that affected systems be cleaned and that underlying vulnerabilities be patched or mitigated. If an underlying vulnerability is not addressed, or if some of the attacker’s code remains on the system, it could lead to reinfection.
What are some DETECTION best practices?
- Use of vulnerability security assessment tools to test web applications for vulnerabilities
- Use of file-integrity monitoring or change-detection software
- Performing internal and external network vulnerability scans
- Performing period penetration testing to identify security weaknesses
What are some PREVENTION best practices?
- Implement malware protection and keep up to date
- Apply security patches for all software
- Restrict access to only what is absolutely needed and deny all other access by default
- Use strong authentication for all access to system components
“These attack techniques are of increasing significance to the retail and hospitality industry,” said Carlos Kizzee, vice president, Intelligence, Retail and Hospitality ISAC. “Hospitality companies rely on their digital properties (website and mobile apps) to enable convenient and effective interactions with their guests. It is crucial that those companies maintain awareness of the impact of third-party activity on those sites, and especially aware of any additional parties that they are not in contractual privity with who are attaching themselves to those ecommerce platforms, generally not known by the companies that own and maintain them.”