In the early days of e-commerce, putting in your credit card details and personal information on a website seemed not just novel – but downright scary. For a lot of users, it was a decision that required plenty of thought and weighing up the risks involved. Sometimes that risk was considered just too great for them to continue.
Today, paying for goods and services online comes about as naturally as breathing. In a world in which the biggest retailers are online, much of our entertainment comes via the internet, and sharing our most personal information using social media is standard issue, entering your payment card details on a website is something most people don’t think twice about.
But how do you know that the website you’re entering those details into is doing right by its users? After all, there are few pieces of information more potentially compromising than your financial credentials – and if these fall into the wrong hands you could be in a whole lot of trouble. Or, at the very least, put through great inconvenience.
This is, in essence, the big threat of web skimmers. A web skimmer refers to a piece of bad code embedded onto an ecommerce website’s payment page with the goal of collecting and stealing whatever payment card details are entered by trusting users. This information can then be passed along to the attacker, who might sell it to third parties or potentially use it themselves for financial gain. While the website itself may be entirely legit, web skimmer attacks allow this trust to be exploited by the worst online actors imaginable.
Enter Magecart
The most famous (or infamous) of web skimmers is Magecart. An infamous consortium of hackers who target e-shopping cart systems – frequently the Magento system, hence the “Mage” part of the name – Magecart has been behind some of the biggest web skimming attacks of recent years.
So closely associated with web skimming attacks are they, that these attacks are now frequently generically termed Magecart attacks, even when the hacker consortium is not explicitly behind them. Magecart attacks have been used to steal not just financial payment card data, but also email addresses, names, addresses, phone contact details, and more.
In one notable Magecart attack, payment data for an astronomical 380,000 British Airways customers was stolen. This breach resulted in a record-setting GDPR fine of $229 million for failing to adequately protect customer information. This was equivalent to some 1.5 percent of British Airways’ total revenue for the year in question.
Other entities targeted by Magecart attacks include the likes of Ticketmaster, Macy’s Tupperware, Robert Dyas – to name just a few.
Frighteningly for customers and businesses alike, it doesn’t take much on the part of attacks to cause immense damage – and, in the case of BA, heavy fines. Case in point: The British Airways breach was reportedly caused by just 22 lines of code.
As more and more financial transactions take place online, so the threat of web skimming (also called “formjacking”) attacks continues to grow, along with the appeal of executing such attacks for hackers. Websites and customers are still at risk of suffering these attacks. Recently, three fresh Magecart attacks were highlighted, exploiting possible weaknesses in the WooCommerce online platform.
WooCommerce makes up around 29 percent of the top million e-commerce websites, with upward of 5 million active installs of the freely available plugin. Many of WooCommerce’s users are small and mid-sized businesses, which may be particularly vulnerable to such attacks.
Protecting against web skimmers
It’s essential that organizations take the right steps to protect against web skimming attacks like those mentioned above. Fortunately, there are tools and methods that can help with this. For example, businesses should audit all third-party JavaScript code on their websites, as well as requesting third-party vendors to audit their own code, to ensure that it does not contain potential malicious instructions.
They should also make use of tools like Runtime Application Self-Protection (RASP), Web Application Firewalls (WAF), Advanced Bot Protection and more, in order to spot possible attacks and block them before they cause any harm. Make use of the right preventative and protective measures and the threat of web skimming attacks is greatly reduced.
E-commerce is only going to become bigger and more important. In addition, it’s getting more competitive all the time, meaning that – even if you’re not fined big bucks for an infraction like British Airways was – it could still be enough to cost you significant business in terms of damaged reputation. By taking the recommended steps to defend against attacks like those enacted by Magecart will ensure you can continue taking advantage of the enormous potential of selling products online – without having to spend every waking hour fretting about the threats posed by bad actors.
After all, no business owner or customer wants to have to do that.
