The Year of Magecart: How the E-Commerce Raiders Reigned in 2019
In mid-October, an online criminal group used embedded code to skim personal and financial information from visitors who purchased goods while shopping on Macy’s e-commerce site.
While the retail giant notified customers on Nov. 15, the company has yet to release details of the attack. For example, hHow many customers were impacted by the breach remains unknown.
Researchers, however, believe the intruders belong to a loose grouping of cybercriminal gangs known as Magecart groups, named for their habit of skimming financial details from shopping carts and, often, the Magento e-commerce platform.
This particular group had upped its game: The attackers had tightly integrated their information-gathering code into two parts of the website and had knowledge of how Macy’s e-commerce site functioned, security firm RiskIQ said in a Dec. 19 analysis.
“The nature of this attack, including the makeup of the skimmer and the skills of the operatives, was truly unique,” said Yonathan Klijnsma, head researcher with RiskIQ, in his analysis. “I’ve never seen a skimmer so meticulously constructed and able to play to the functionality of the target website.”
The Macy’s breach is the latest success for the broad class of Magecart attackers. In 2018, Magecart groups breached Ticketmaster, Newegg, and British Airways, with seven different groups targeting e-commerce sites and skimming customer information, according to threat intelligence firm RiskIQ. In 2019, attackers hit Macy’s, SixthJune, and the American Cancer Society, and the number of Magecart groups researchers were tracking ratcheted up to 16.
The groups are not unified and run the gamut from state-sponsored intelligence operations to low-level criminals using downloaded tools, according to RiskIQ. Some groups use automated tools to hit as many vulnerable sites as possible. One group — labeled Group 4 — uses obfuscation and targeting to try to blend into the victim’s website’s files. Another — Group 5 — tries to compromise third-party suppliers.
Yet the combined activity of all these groups has caused major breaches this year and hundreds of millions in fines, because many companies found themselves the target of fines under European Union’s newly minted General Data Protection Regulation (GDPR). One victim, hotel chain Marriott, will likely have to hand over £99 million (US$124 million), while air carrier British Airways could see a £183 million (US$229 million) fine under GDPR.
“Overall, poorly secured sites combined with a few serious vulnerabilities resulted in a very successful year for Magecart threat actors,” says Matthew Gluck, a senior analyst with Flashpoint.
The situation is only set to get worse.
(continued on next page)
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio
