Back in July, a group of cyberattackers called Magecart made the e-commerce word shake. Its malicious skimming code, which is inserted into the websites of these businesses to steal personal and financial data from their customers when making purchases, was discovered on nearly 18,000 domains. And this incident wasn’t the only one.
A year ago, British Airways announced that it had fallen victim to a massive data breach. Attackers managed to steal the personal data of around 500,000 BA customers including such sensitive information as names, credit card numbers and their CVV codes, and email addresses. Ten months later, the airline received a record fine of £183 million (€204,110,000) under the GDPR. Who was behind this attack? Magecart.
The hotel sector in the firing line
In September, two hotel chains were discovered to have been affected by a Magecart campaign. In this campaign, the skimming code was injected into the mobile websites of the two chains in a supply chain attack on a provider.
In both cases, the provider was Roomleader, a Barcelona-based company that provides digital marketing and web development services. One of the services that Roomleader provides is a module that saves the hotels the visitor views in their cookies. The two affected hotel chains had implemented this modules, which the attackers had infected with malicious JavaScript.
As is often the case with Magecart attacks, the skimming code is designed to function in a digital environment and steal data from payment forms. This data includes credit card details, names, email addresses, and phone numbers. This data is then doubly encrypted and exfiltrated to the attackers, who can decrypt it and view it.
Download the hotel cybersecurity whitepaper
Why did they only attack the mobile websites?
Although the skimming code is able to steal data from both computers and mobile devices, the Magecart attackers specifically programmed the malware to affect only mobile users. Anyone visiting the website from a computer saw a normal JavaScript. This was likely done to stop the security software that is normally present on computers from detecting it.
Another trick used by the attackers was to program the skimmer to replace the payment forms with slightly different versions created by the attackers. They even went so far as to translate the sites into the eight languages used by the companies they were attacking.
It is believed that this was done because many hotel booking forms don’t ask for the CVV code in advance, since customers pay on arrival at the hotel. The attackers needed this code in order to be able to use the stolen data, so they created a version of the form that requested it.
Don’t let Magecart steal you company’s data
The list of Magecart victims is long, and includes such well known companies as Ticketmaster, Forbes and Amazon CloudFront. In order to attack so many e-commerce companies, a wide range of techniques is needed, as well as constant adaptation to new situations, which means that organizations need to adopt a stance of permanent cyber-resilience. This is why it is so important to get ahead of these attacks and ensure that they cannot affect your organization.
Panda Adaptive Defense: constantly monitors all of your organization’s systems and processes. This way, it can prevent and avoid any cyberthreat before it can cause any problems, be it malicious code injection, ransomware, or spyware.
Another protection measure that no company can do without is to apply relevant patches for vulnerabilities as soon as possible. It is believed that the massive Magecart campaign that we saw this summer was facilitated by a vulnerability in an web application, which serves to highlight how important this measure is.
Panda Adaptive Defense has an additional module, Panda Patch Management. This module searches for and manages relevant patches for vulnerabilities. It audits, monitors and prioritizes updates for operating systems and hundreds of third party applications so that you can be sure to keep your system up-to-date.
According to RiskIQ, Magecart has been attacking online companies since at least 2016, and it is highly likely to continue carrying out operations against e-commerce businesses of all kinds. Be sure to properly protect your systems so that you don’t become the next victim.