As the global pandemic has shifted life into the online space, cybercriminal groups have keenly exploited the digitisation of society’s interactions over the lockdown period. One particularly notorious group that security teams should be aware of is Magecart, a shadowy criminal syndicate responsible for many of the recent high-profile credit card skimming attacks.
Who is Magecart?
Magecart – whose name is derived from a portmanteau of Magento and shopping cart – is an online criminal organisation that boasts of a wide portfolio of attacks against organisations across the globe. Its modus operandi is to steal the data, especially credit card information, of unsuspecting customers through inserting malicious code into the framework of legitimate company websites.
Notable examples of Magecart pilfering include the 2018 attack on British Airways (BA) in which the details of 500,000 customers were swiped by the attackers – this led to the Information Commissioners Office (ICO) issuing BA a £183m fine for breaching General Protection Data Regulation (GDPR).
A slew of attacks has followed, including the most recent September 2020 strike against Warner Music Group. Underlining the scope of the threat, a Magecart attack has been recorded to infect a website every 16 minutes.
Upgrading the arsenal
Web skimming has proven to be a highly lucrative tactic in the arsenal of cybercriminal groups. This being the case, in protecting organisations, its important to gain an understanding of what tools threat actors use and how they have developed over time.
One tool that is being seen by security researchers with increasing ubiquity is the Inter Skimmer kit – indeed, this skimming tool is one of the most commonly used digital skimming solutions across the globe. In fact, recent research identified that Inter Skimmer is currently active on more than 1,500 websites.
A worrying aspect of the Inter Skimmer kit is that is has made the execution of web skimming attacks far more accessible to those who might not necessarily have the know-how to ordinarily conduct attacks. There is a thriving underground market for skimmers, compromised sites, and stolen data. Faced with free market competition, crooked developers have found that the easier a skimmer is to use, the more likely it is to sell.
The Inter Skimmer is a hot market cybercrime item and comes prepacked and instantly deployable. This allows prospective cybercriminals with a bit of money and a little expertise to immediately and easily begin targeting businesses. Similar to legitimate software that can be purchased, the Inter Skimmer comes with a dashboard to help generate and deploy skimming code and back-end storage to collect the skimmed payment data.
When looking at how the Inter Skimmer has proliferated, it is important to understand the underground market dynamics that have allowed it to do so. Skimmers are continuously being developed and upgraded, similar to commercially available software. This has led to the Inter Skimmer being highly efficient and more difficult to detect.
Indeed, today’s Inter Skimmers can even integrate an obfuscation service if the actor has access to an API key to access a far wider variety of obfuscation techniques. Other new features include creating fake payment forms on sites that use payment service providers, such as PayPal, and quick, automatic checks of new exfiltrated data against previously skimmed data via MD5 and cookie information to identify and remove duplicates.
Thwarting the Inter Skimmer threat
Given the serious nature of the threat and the damage that can be wrought upon a company’s brand if it were to fall victim to a high-profile skimming attack, it’s vital that organisations contend with the potentiality of an attack.
Paramount to remaining safe is through extensive knowledge and visibility of the organisation’s web-facing digital assets and their underlying JavaScript, regardless of whether it was developed by the organisation or loaded from a third-party provider as a service. As skimmer code executes on the user machine, seeing the world through the eyes of the user can highlight malicious changes that would otherwise go unnoticed.
Without a doubt, web skimmers will continue to be developed and improved through the aggressive mechanisms of black-market capitalism. For organisations to protect both their customers and their brands, they too must guarantee that their security infrastructure is being routinely developed, so that they can detect and thwart Inter Skimmer attacks as they inevitably arise.
Contributed by Fabian Libeau, VP, EMEA, RiskIQ