Magecart May Make Holidays Less Merry – Cyber Defense Magazine
Third-party plug-ins driving most retail sites can open doors to attackers
by Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks
In the unprecedented year of 2020, the rise in cyberattacks has been an unfortunate side effect of the global pandemic.
Magecart is more of a threat this year than ever before, both because a) more shoppers have moved online so the volumes are higher, and b) in the rush to introduce new online and curbside services during the pandemic, far more new plug-ins and APIs were added, creating new potential vulnerabilities.
With the mass migration to online sales and curbside pickups, e-commerce and retailers are at substantial and increased risk of Magecart attacks this year, largely because the site plug-in providers are a vast, unmonitored and leaky supply chain for most online retail websites. The average online retailer website has 39-40 external sources of Javascript alone, not counting CSS code. In most organizations, no one person tracks who added them or why and through what vetting process, if any.
As a result, the ecosystem at the retailer’s website-level continually expands, forming a gargantuan supply chain that no one knows exists. This problem is far bigger than the owner of the domain can address on their own.
Vulnerability scanning does not pick up every sort of injection attack that Magecart thrives on.
Most Retail Websites Replete with Third Party Components, Risk
Of the four techniques of injecting malicious code, three are done through supply chains and just one through direct code injection.
Ongoing pen testing of sites and auditing of source code is sorely needed, but third-party site builders often don’t take this on as their responsibility – it’s not their reputation at stake, but the site owner’s brands. Examples of plug-ins include ad servers and shopping carts with plug-ins such as “rate this” on payments pages.
Shifting to crypto payments won’t reduce Magecart vulnerability. The Masad Stealer is an example of an attack that is on the victim’s browser. When they enter the information for the party they intend to pay, the stealer replaces it with their own and the outbound payment is routed to them.
Steps toward solutions that retailers should consider include Sub Resource Integrity (SRI), which will assure that content doesn’t get edited along the way. Most sites are edited by multiple third parties like content delivery networks.
Also, consider using Content Security Policies, which are policies supported by browsers and web servers that say “Here are the only domain names allowed to fetch executable scripts from on my behalf.” In the retailer’s code, rules should authorize only those few approved domains. This would close several avenues that Magecart uses to infiltrate Javascript. Other recommendations include:
- Companies must also ID all third-party e-commerce providers and advertisers they work with and ensure that they do continuous self-assessments and audits. The best way to do this is to require their code be audited by a trusted third-party. To then avoid supply chain injections, the company must host that third-party code themselves if possible and not fall for the ease of inclusion by reference. Then they need to keep it up to date with security patches.
- Test everything – for example, inject their own Javascript code into the browser and review what’s happening. There are tools to do that.
- Ensure scanners have access to critical flows, such as shopping carts.
- Javascript virtualization – it’s important to keep an eye on performance, as delays can be detrimental to overall company goals.
The biggest problem is a people problem – not with users and consumers, but with the organizations themselves. They don’t see the massive amount of unmanaged third-party plug-ins that drive their websites as vulnerabilities, so the problem continues.
About the Author
Mounir Hahad is Head of Juniper Threat Labs at Juniper Networks. He is a seasoned cybersecurity expert focused on malware research, detection techniques, and threat intelligence. He leads Juniper Threat Labs in identifying and tracking malicious threats in the wild, ensuring Juniper products implement effective detection techniques, and providing access to the latest threat intelligence needed to block malicious attacks. Prior to joining Juniper, Mounir was the head of Cyphort Labs and has held various leadership roles with Cisco and IronPort.
Mounir can be reached online at @Mounirhahad and at our company website https://threatlabs.juniper.net/signatures/#/