eCommerce security gets new Magecart threat, over 80 retailers hit

ecommerce symbol
source

Over 80 eCommerce websites were compromised by Magecart groups, according to the 2.5 hour eCommerce security research held by Aite Group and commissioned by Arxan Technologies.

The report “In Plain Sight II: On the Trail of Magecart” reveals the weakness of eCommerce security among global retailers. Research shows that online shopping sites still use the outdated versions of Magento. This makes them vulnerable to an unauthenticated upload and remote code execution.

“Magecart” refers to threat groups that employ credit card skimming technology to steal information from eCommerce platforms. Magecart groups were reportedly behind the breaches experienced by international brands like Ticketmaster, Forbes, and British Airways in 2018.

Researchers also found that the sites had no in-app protection particularly for tamper detection and code obfuscation. An estimated 20 percent of the websites were reinfected within five days of addressing the initial issue.

In addition, the study reveals that “25 percent of the sites discovered were large, reputable brands in the motorsports industry and luxury apparel.”

ADVERTISEMENT

Aaron Lint, Chief Scientist and VP of Research at Arxan Technologies warns about how third-party components affect eCommerce security. He says they have created “a supply chain where an attacker can easily compromise thousands of sites with a mere few lines of code.”

Formjacking, another term for virtual credit card skimming, is weaved into a web application, often the shopping cart. This scheme is used to steal credit cards that will be sold on the black market.

“Because so many web applications are lacking in-app protection, adversaries are able to easily debug and read a web app’s JavaScript or HTML5 in plain text,” says Alissa Knight, cybersecurity analyst for Aite Group and author of the In Plain Sight series of research.

She emphasizes that security solutions should include detection of code tampering and analysis, threat detection, and real-time alerting and response.

ADVERTISEMENT