A recent study by Qubit has highlighted a 70.7% increase in online shopping, which has been attributed to the COVID-19 pandemic and closure of physical stores. The increase has made the prospect of credential theft and card skimming a particularly profitable and abundant criminal venture.
Research by the software company Cyberpion highlights that more than 10,000 websites and applications are vulnerable to card skimming or "Magecart" attacks.
These attacks involve malicious code being inserted on the target website, either directly or through hijacking of applications or plugins. The code is then executed client-side on the user’s browser, resulting in credentials and potentially payment details being stolen by the cyber-criminal.
Magecart is a term first coined by cyber security company RiskIQ in 2016 and is a contraction of the words Magento, which is a prolific open-source e-commerce platform, and shopping cart.
Exfiltration can be achieved in many ways, such as the use of a simple POST request within the code, or quite uniquely through obfuscating the stolen information within image files, a technique known as steganography.
Several tracked criminal groups specialise in this style of attack include Magecart Group 7, 8 and 12, who have specific tactics, techniques and procedures (TTPs).
Magecart attacks appeared to peak in 2018, with high profile attacks on Ticketmaster, British Airways and Newegg, but have continued to evolve and develop, on average costing the target company $50-200k in fines and recovery costs.
Many Magecart attacks come in the form of prebuilt skimmer packages, which are bought/sold on darkweb marketplaces and hacker forums, which can then be configured by a cyber-criminal for their own use.
A large proportion of shoppers now use their mobile phone as their primary browsing device, with research suggesting that around 75% of online purchases are made via a browser on a phone. As such many Magecart skimmers are now being designed to specifically target mobile devices such as the MobileInter skimmer, which performs mobile browser checks prior to execution, only targeting.
As an example, below are the results from a website known to be infected with Magecart script. The malicious code can be easily identified, as it is being hosted on an OVH IP (4), standing out from other scripts which are being hosted on the websites IP, or other genuine third-party scripts belonging to Google.
It is common to see an increase in Magecart skimming attacks in the run up to Black Friday and the festive season, due to the increased opportunity seasonal shoppers present to criminals.
In December 2020, there was a surge of skimming attacks involving malicious PayPal iframes, which imitated the genuine checkout process of compromised websites, and it is likely that similar attacks will occur this year.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).