Magecart Shops for Victims as E-Commerce Market Grows

In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.

Magecart, the e-commerce threat behind security breaches at Ticketmaster, British Airways, and other prominent targets, remains a top concern among researchers: In 2.5 hours, one security expert discovered more than 80 e-commerce sites actively under the control of Magecart groups.
For the report In Plain Sight II: On the Trail of Magecart, conducted by Aite Group and commissioned by Arxan Technologies, researchers explored the broad attack surface available to cybercriminals when e-commerce apps arent properly protected. The study, released today, analyzes the trail of servers compromised by Magecart groups, as well as the servers where attackers send data.
Magecart is an umbrella name given to different crime syndicates targeting payment websites, inserting malicious code, and lifting payment card data. Its not a new threat, but it is growing alongside the popularity of more secure payment methods like Apple Pay, Android Pay, and contactless cards. Magecart groups monetize data via Dark Web markets and shipping scams.
Alissa Knight, senior cybersecurity analyst at Aite Group, discovered the cell of 80 actively compromised websites and found 100 more actively compromised sites in additional research, as part of this July study. Some of the targeted websites were victims of more than one group, she discovered. Aite Group and Arxan worked with federal law enforcement to alert the 80 victims of their findings, as well as the staging sites used to collect their stolen information.
A lack of security controls can expose Web applications to formjacking, an increasingly popular type of attack in which Magecart groups inject e-commerce checkout forms with malicious code that sends shoppers credit card information to an external server under adversaries control. Unsecured sites make it easy for attackers to debug and read JavaScript or HTML5 in plain text.
Magecart
groups can break into target systems in a number of ways, but formjacking is the most common, says Aaron Lint, chief scientist and vice president of research with Arxan. Other methods include exploiting the Web server or container to inject code, exploiting a coding bug in first-party or third-party code, and hijacking an open source library or third-party component.
While 25% of the websites are reputable brands, the disturbing thing is how many medium-sized and smaller businesses are getting caught in Magecarts web, Lint continues. Any website that conducts financial transactions or collects user credentials is a target. Victims ranged from luxury fashion retailers to motorcycle manufacturers and childrens learning websites. These target companies were spotted across the United States, Canada, Europe, and Asia-Pacific.
The most common similarity in the victim websites Knight discovered is the use of e-commerce platform Magento. All of the sites running Magento are running old versions that are vulnerable to an authenticated upload and remote code execution vulnerability that has published exploits available, the
report states
. The most recent edition of Magento is version 2.1.7; however, many of the compromised websites were running versions 1.5, 1.7, or 1.9.
Arbitrary file upload, remote code execution, and cross-site request forgery all affect version 2.1.6 and below. These versions make it easier for adversaries to inject formjacking code. All of the victim websites lacked in-app protection, such as tamper detection and code obfuscation.
What You Can Do
The potential financial damage of Magecart continues to grow as e-commerce does. A separate pool of
research
estimates global e-commerce will rise 20.7% to reach $3.53 trillion. By 2021, its expected to approach $5 trillion. Lint anticipates the
continued growth
of the e-commerce market will drive the continued evolution of Magecart attacks.
If a target makes it difficult for cybercriminals to act, their attackers will move on. Researchers advise organizations to implement multiple layers of security so as to cause friction for adversaries, and to create a regular patch and vulnerability management policy for applications like Magento and Shopify to ensure theyre updated as new releases are made available.
Related Content:
7 Biggest Cloud Security Blind Spots
Fancy Bear Dons Plain Clothes to Try to Defeat Machine Learning
The Right to Be Patched: How Sentient Robots Will Change InfoSec Management
WannaCry Remains No. 1 Ransomware Weapon
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
The Right to Be Patched: How Sentient Robots Will Change InfoSec Management
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Magecart Shops for Victims as E-Commerce Market Grows