It seems that there is no end to the variety and diversity of types of cyberattacks these days. In spite of vendors’ and enterprises’ best efforts to the contrary, hackers invariably come up with new ways of infiltrating organizations and exfiltrating personally identifiable information (PII) of various sorts to cash in on their nefarious desires.
From the bad guys’ perspective, the best hacks have three basic characteristics: they’re inexpensive, easy, and lucrative. Given the sheer number of options for the discerning ne’er-do-well, there’s just no sense in selecting an approach that doesn’t check these three boxes.
These are likely to be the reasons that the recent spate of the Magecart family of hacks has become so popular among the cloak and dagger set. British Airways and Ticketmaster are two of the most well-known recent victims of Magecart attacks – although in truth, the actual victims are their customers.
Here’s some insight into what makes Magecart so popular among hackers – and what you can do to protect yourself.
It’s Not a Bug. It’s a Feature
The primary targets of Magecart are what the industry calls supply chain attacks. “A ‘supply chain attack’ involves a third-party component on a web site,” explained Oleg Kolesnikov, VP of threat research and cybersecurity at Securonix. “Third-party content includes, for example, shopping cart widgets.”
Such third-party content, in fact, is essentially ubiquitous. Take any commercial web site and look at the source HTML under the covers, and you’ll likely find all manner of widgets, plugins, tags, and other code elements that third parties publish for inclusion in other sites. Building a modern web site routinely takes advantage of such components.
The second part of the Magecart story: php object deserialization. php is a common server-side programming language – so common, in fact, that the ‘LAMP stack’ of technologies behind most open source web tools like WordPress leverages php as the ‘P’ (the other letters standing for Linux, Apache, and MySQL).
php’s versatility and power, however, also open it up for shenanigans, including the object serialization that enables Magecart. With object serialization, a coder can treat any snippet of code as though it were data for a program to manipulate as though it were any other data – even if that code be malware.
Object serialization sounds dangerous to be sure – but it’s not a bug. It’s intentionally part of php. In other words, it’s not a bug, it’s a feature – a feature that many web coders misuse.
In the case of Magecart, hackers are using this feature of php to inject malicious JavaScript. “Hackers are using php object deserialization attack to inject replacement JavaScript,” Kolesnikov explained.
The JavaScript in question runs in the browser – any browser. So once hackers have compromised a third-party widget, any site running that widget will execute its malicious JavaScript, right in your browser.
And in spite of the inclusion of ‘cart’ (as in shopping cart) in the name ‘Magecart,’ Magecart can infect any widget – including tools as benign as feedback forms. No third-party component is invulnerable.
Skimming and other Sneakiness
The primary use of Magecart’s supply chain attacks is ‘skimming’ – that is, stealing essential PII like credit card numbers, expiration dates, CVVs, the names of cardholders, and the like – in other words, the bits of information hackers can find a ready market for on the Dark Web.
However, hackers today are often not content to simply steal data in order to make a few bucks – or even a lot of bucks. They often have additional, ulterior motives just to make things interesting.
One hacker group using Magecart for more than skimming goes by the name Group 11. “Magecart… can be used to steal data that is unrelated to payment processing. While Group 11’s skimmer isn’t any different than those of other groups, the way they use it is,” explained Yonathan Klijnsma and Jordan Herman, threat researchers at RiskIQ. “Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators.”
In other words, Group 11 is upping the game from credit card numbers to administrative credentials. And once a hacker has those keys to the kingdom, it can wreak any havoc it cares to.
Beware Tripwires
If Magecart and its nefarious purveyors aren’t sneaky enough, some of them are including ‘tripwires.’ “Some versions of Magecart include special tripwire code that detects the use of development tools to view the source of the scripts, and reports the IP address, browser, and time zone as well as some additional information about your system to one of the Magecart C2 addresses,” explain Kolesnikov and his colleague Harshvardhan Parashar, a security research engineer at Securonix, in a new report the company recently published on the British Airways Magecart breach.
If stealing PII and administrator credentials aren’t enough, then what do the bad guys want? Whom, pray tell, are the hackers tripping up with these tripwires? The surprising answer: other hackers.
In fact, security researchers have uncovered evidence of certain hacker groups impeding the Magecart attacks of other such groups – showing that even the world of cybercrime is far from an organized, collaborative effort, but rather as chaotically competitive as a schoolyard full of hooligans.
The bottom line, of course, is that hacker groups are too numerous to count – and the easy, inexpensive availability of malware quickly disseminates the sophisticated work of one malefactor to a broad audience of less savvy script kiddies and others who are all too willing to exchange their hard-earned crypto for malware on the Dark Web.
And this situation will only get worse. “These components are available on the Dark Web from multiple hacking groups,” Kolesnikov concludes. “There’s no sign of stopping.”
Intellyx publishes the Agile Digital Transformation Roadmap poster, advises companies on their digital transformation initiatives, and helps vendors communicate their agility stories. As of the time of writing, Securonix is an Intellyx customers. None of the other organizations mentioned in this article are Intellyx customers. Image credit: Blue Coat Photos.
