The Clearsale Blog

Could a Magecart Attack Hit Your E-Commerce Website?

Could a Magecart Attack Hit Your E-Commerce Website?

Nearly 17,000 e-commerce websites since April 2019 have had their online shopping carts compromised by the latest and scariest new cyberattack tactic: Magecart attacks.

These numbers are staggering, and the attacks are proving frustratingly difficult to stop. Worse, the ramifications will be real and painful for any merchant that gets hit. After all, how can any merchant ever regain the trust of its customers if their online shopping cart has been proven untrustworthy?

In the fight to stop these terrifying attacks, here’s what every e-commerce merchant needs to know.

What Is a Magecart Attack?

According to a new report from threat intelligence firm RiskIQ, the hackers act on vulnerabilities that are created when website owners inadvertently misconfigure their Amazon Web Server (AWS) S3 storage servers. These servers act as cloud-based “buckets” that store important data – including credit card numbers that are collected by e-commerce websites.

AWS S3 servers are secure when their standard settings are used; however, many companies customize these settings. If the customization is misconfigured, a security gap can occur. This misconfiguration can allow anyone with an AWS account to not only read the contents of the “bucket” but also write new code onto the servers – such as code to steal card data from an e-commerce site.

The result is a compromised checkout process. As a customer inputs their credit card details into a cart payment form, the malicious code skims these details and sends the data to the hackers’ servers. This stolen data — including the customer’s name, credit card and CVV number, and expiration date — then often finds its way to the dark net, where it’s purchased and used by other fraudsters.

Why These Attacks Are Increasing

Perhaps surprisingly, Magecart attacks aren’t anything new. As early as 2015, cybercriminals have used Magecart attacks to take advantage of vulnerabilities that enable JavaScript files to be overwritten. 

One reason these attacks are on the rise in recent months is because the scripts are cheap to buy – costing between $250 to $5,000 in underground forums – and easy to customize to maximize the damage. 

In fact, the attacks are so easy to run that attackers have been changing their tactics and using a “spray and pray” approach. Rather than explicitly targeting specific websites with known security gaps, today’s attackers are casting a wide net and altering the code even on websites that have nothing to do with e-commerce. And once the code has been installed, it can be frustratingly difficult to find and remove.

Worse, many websites use the same AWS S3 buckets – meaning that altering the code in one bucket could ultimately impact multiple sites. One attack reported in early July 2019, hit nearly 1,000 online retailers and resulted in customers’ credit card details being stolen in less than 24 hours.

It’s not just small sites that are vulnerable, either. In 2018, industry giant British Airways had 380,000 customers’ payment details stolen in a Magecart attack. Ticketmaster and Newegg are also thought to have been hit by Magecart attacks.

How e-Commerce Merchants Can Protect Their Websites

Every retailer selling online needs to understand that their platform could be targeted at any time by fraudsters launching Magecart. These cybercriminals have also begun experimenting with new, even subtler techniques that are harder for merchants to detect and can collect more data, such as login credentials.

Merchants running old versions of a shopping platform are especially at risk, which is why it’s critical to update and patch content management platforms routinely.

In the end, it might be that a simple, proactive approach to website security is the easiest and most effective way to avoid being compromised and ensure the safety and security of the business’s data and revenue.

is every valid order being approved?

 

You may also like

[Industry Focus] Fraud Risk Profile for Nutraceutical and Drug Retailers

[Industry Focus] Fraud Risk Profile for Nutraceutical and Drug Retailers

As people become more conscious of what they’re putting into their bodies, there’s been an increased demand for high-quality supplements and healthful food and beverages. The result has been a..

3 Ways Tech Can Benefit Remote Teams

3 Ways Tech Can Benefit Remote Teams

Ecommerce businesses are used to an ever-evolving digital connection between them and their customers. But 2020’s COVID-19 pandemic has resulted in that digital connection making its way into the..

Shopping Habits by Gender: What’s Changed in 2020

Shopping Habits by Gender: What’s Changed in 2020

Do men hate shopping online? Are women more worried about fraud?

How Management Should Contribute to Fraud Protection

How Management Should Contribute to Fraud Protection

As companies grow, management often delegates business-critical tasks—marketing, technology, fraud prevention—to different departments. While it might seem to be an efficient way to get things..

“I Don’t Need Fraud Protection — My Business Isn’t at Risk!”

“I Don’t Need Fraud Protection — My Business Isn’t at Risk!”

As an e-commerce merchant, you know the risk of fraud, false declines and chargebacks. But maybe you think it won’t happen to you because you’re a relatively new — or small — e-commerce merchant,..

How Backtesting Can Improve Fraud Prevention

How Backtesting Can Improve Fraud Prevention

They say hindsight is 20/20, and that’s especially true for e-commerce merchants looking to increase their approval rates and decrease fraudulent transactions. It’s easy to look back at..

Is Fraud Risk Scaring You Away From International Shipping?

Is Fraud Risk Scaring You Away From International Shipping?

With cross-border shopping estimated to make up 20% of e-commerce in 2022, many merchants are right to consider expanding into other countries. So what’s stopping them from pulling the trigger?

Preparing Your E-Commerce Store for the Holiday Season

Preparing Your E-Commerce Store for the Holiday Season

It might still be summer on the calendar, but the holiday shopping season is just around the corner.  Are you ready?

Impact Analysis: Declined Transactions vs. Fraudulent Transactions

Impact Analysis: Declined Transactions vs. Fraudulent Transactions

Selling products and services online offers great opportunities for merchants, but it’s not without risk. Savvy cybercriminals use stolen personal data to defraud merchants, and sometimes, a..

Want to write
for our blog?

Please review our writers' guidelines
https://www2.clear.sale/press/clearsale-guest-blog-guidelines
and then email guestwriter@clear.sale with your pitch!

Subscribe to our blog