This summer, you are more likely to find the cybercriminal groups Magecart client-side rather than poolside.

Web skimming, which consists of stealing payment information directly from within the browser, is one of today's top web threats. Magecart, the group behind many of these attacks, gained worldwide attention with the British Airways and TicketMaster breaches, costing the former £183 million ($229 million) in GDPR fines.

Skimmers, sniffers, or swipers (all valid terms used interchangeably over the years) have been around for a long time and fought against mostly on the server side by security companies like Sucuri that perform website remediation.

Today, web skimming is a booming business comprised of numerous different threat groups, ranging from mere copycats to more advanced actors. During the past few months, we have witnessed a steady increase in the number of hacked e-commerce sites and skimming scripts. In this post, we share some statistics on web skimming based on our telemetry, as well as what Malwarebytes is doing to protect online shoppers from this threat.

65K theft attempts blocked in July

During the past few months, we have been observing a growing number of blocks related to skimmer domains and exfiltration gates. This activity drastically increased as the summer rolled out, most notably with peaks around July 4 (Figure 1).

Figure 1: Web blocks for skimmer domains and gates recorded in our telemetry

In the month of July alone, Malwarebytes blocked over 65,000 attempts to steal credit card numbers via compromised online stores. Fifty-four percent of those shoppers were from the United States, followed by Canada, with 16 percent and Germany with 7 percent, as seen in Figure 2.

Figure 2: Top 10 countries for Magecart activity in July

In addition to a greater number of compromised e-commerce sites (which often times have been injected with more than one skimmer), we also documented large and ongoing spray and pray attacks on Amazon S3 buckets.

Many skimmers, too many groups

Skimmer code can help to identify the groups behind them, but it is becoming increasingly difficult to do so. For instance, the Inter kit that is sold underground is used by different threat actors, and there are many copycats reusing existing code for their own purpose as well.

Figure 3: Fragments from different skimmer scripts

Having said that, skimmers typically have a similar set of functionalities:

  • Looking at the current page to see if it's the checkout
  • Making sure developer tools are not in use
  • Identifying form fields by their ID
  • Doing some validation of the data
  • Encoding the data (Base64 or AES)
  • Exfiltrating the data to their external gate or on the compromised store

While some skimmers are simple and easily readable JavaScript code, more and more are using some form of obfuscation. This is an effort to thwart detection attempts, and it also serves to hide certain pieces of information, such as the gates (criminal-controlled servers) that are used to collect the stolen data. Fellow researchers also noted the same for the data exfiltration process, although strange encryption may actually raise suspicions.

Magecart protection, client-side

Combating skimmers ought to start server-side with administrators remediating the threat and implementing a proper patching, hardening, and mitigation regimen. However, based on our experience, a great majority of site owners are either oblivious or fail to prevent re-infections.

A more effective approach consists of filing abuse reports with CERTs and working with partners to take a more global approach by tackling the criminal infrastructure. But even that is no guarantee, especially when threat actors rely on bulletproof services.

We often get asked how consumers can protect themselves from Magecart threats. Generally speaking, it's better to stick to large online shopping portals rather than smaller ones. But, this piece of advice hasn't always held true in the past.

At Malwarebytes, we identify those skimmer domains and exfiltration gates. This means that by blocking one malicious hostname or IP address, we can protect shoppers from dozens, if not hundreds, of malicious or compromised online stores at once.

In Figure 4, we see how Malwarebytes intercepts a skimmer that had been injected into the website for Pelican Products before the customer entered their information. (We reported this breach to Pelican and it appears that the site is now clean).

Figure 4: Magecart theft attempt blocked in realtime

The recent headlines about data breaches have eroded people's trust in entering personal information online. And yet, there are still many myths that persist and give a false sense of security. For example, the trust seals many merchants proudly display or even their use of digital certificates (HTTPS) will not protect you from a Magecart attack.

There is no doubt that Magecart threat actors, despite their diversity, are in it for the long game and because the attack surface is quite vast, we are bound to observe new schemes in the near future.