01-30-2025, 07:05 AM
News What is Magecart? How this hacker group steals payment card data
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<h2 class="wp-block-heading" id="magecart-definition">Magecart definition</h2>
<p>Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a <a href="https://www.csoonline.com/article/561323/supply-chain-attacks-show-why-you-should-be-wary-of-third-party-providers.html" target="_blank">supply chain attack</a>. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT.</p>
<p>Shopping carts are attractive targets because they collect payment information from customers: if your <a href="https://www.csoonline.com/article/565999/what-is-malware-viruses-worms-trojans-and-beyond.html">malware</a> can tap into this data stream, you have a ready-made card collection tool. Almost all ecommerce sites that use shopping carts don’t properly vet the code that is used with these third-party pieces — a recipe for a ready-made hack.</p>
<p>Magecart is known to have been active since 2016 and is still quite prolific. RiskIQ has found evidence of its exploits going back to 2010. RiskIQ was acquired by Microsoft in 2021 and folded into Microsoft’s own threat research. Unfortunately, much of the original research isn’t available, although this <a href="https://www.riskiq.com/wp-content/uploads/2019/10/RiskIQ-Magecart-The-State-of-a-Growing-Threat-100419a.pdf">2019 report gives a very comprehensive view</a> of the malware’s activities. The malware group’s activities intensified in 2018, and researchers saw hourly alerts for websites being compromised by its skimmer code. That earned Magecart a spot on Wired magazine’s list of <a href="https://www.wired.com/story/most-dangerous-people-on-internet-2018/" target="_blank" rel="noreferrer noopener">Most Dangerous People On The Internet In 2018</a>.</p>
<p>In 2023, Akamai researchers tracked new developments designed to <a href="https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains">steal personal data from ecommerce websites</a> and <a href="https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer">abusing web error pages</a>. In the first case, the Magecart attackers hijack legitimate websites to act as makeshift command and control servers, which act in turn as distribution centers for malicious code, effectively hiding the attack behind a legitimate domain. The second link describes subverting the 404 error page messages by injecting malware-laced code. Both situations add a further layer of obfuscation making Magecart harder to detect.</p>
<p> Other Magecart attacks include:</p>
<ul class="wp-block-list">
<li><a href="https://www.csoonline.com/article/566287/british-airways-hack-was-by-same-group-that-compromised-ticketmaster.html" target="_blank">Ticketmaster’s UK operations</a> (January 2018)</li>
<li><a href="https://www.csoonline.com/article/566287/british-airways-hack-was-by-same-group-that-compromised-ticketmaster.html">British Airways</a> (August 2018)</li>
<li><a href="https://www.zdnet.com/article/magecart-claims-another-victim-in-newegg-merchant-data-theft/">NewEgg electronics retailer</a> (September 2018)</li>
<li><a href="https://www.darkreading.com/application-security/magecart-attempted-supply-chain-attack-against-shopper-approved">Shopper Approved</a> (September 2018)</li>
<li><a href="https://www.csoonline.com/article/567059/magecart-payment-card-skimmer-gang-returns-stronger-than-ever.html">MyPillow</a> (October 2018)</li>
<li><a href="https://www.bleepingcomputer.com/news/security/toppscom-sports-collectible-site-exposes-payment-info-in-magecart-attack/" target="_blank" rel="noreferrer noopener">Topps sports collectable website</a> (November 2018)</li>
<li><a href="https://sansec.io/research/atlanta-hawks-magecart" target="_blank" rel="noreferrer noopener">Atlanta Hawks fan merchandise online store</a> (April 2019)</li>
<li>Hundreds of <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/" target="_blank" rel="noreferrer noopener">college campus bookstores</a> (April 2019)</li>
<li><a href="https://www.tripwire.com/state-of-security/featured/forbes-subscribers-magecart-threat-skimming-credit-card-details/" target="_blank" rel="noreferrer noopener">Forbes magazine subscribers</a> (May 2019)</li>
<li><a href="https://www.techradar.com/news/nutribullet-website-hit-by-magecart-hackers" target="_blank" rel="noreferrer noopener">NutriBullet</a> (February 2020)</li>
<li><a href="https://www.bleepingcomputer.com/news/security/wordpress-malware-finds-woocommerce-sites-for-magecart-attacks/" target="_blank" rel="noreferrer noopener">WordPress/WooCommerce attacks</a> (May 2020)</li>
<li>Favicon code injection attack (May 2021)</li>
<li>Targeting reCAPTCHA (August 2021)</li>
<li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-state-of-magecart-a-persistent-threat-to-e-commerce-security/">Exploiting Google Tag Manager</a> and using a new vulnerability in Magento to deploy its skimmer code (2024)</li>
</ul>
<h2 class="wp-block-heading" id="how-magecart-works">How Magecart works</h2>
<p>Typically, the Magecart hacker substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware. <a href="https://www.darkreading.com/attacks-breaches/criminals-use-one-line-of-code-to-steal-card-data-from-e-commerce-sites/d/d-id/1334173" rel="noopener nofollow" target="_blank">Researchers have identified nearly 40 different</a> code-injection exploits. The only way to detect this is to compare the entire ecommerce code stack line-by-line and see what has changed.</p>
<p>Its overall attack process has gotten very sophisticated, using a series of steps to hide its presence and deploy a variety of techniques to exfiltrate data.</p>
<p>One clever way for attackers to host their malware (and, sadly, not limited to just Magecart attacks) is to <a href="https://www.bleepingcomputer.com/news/security/github-hosted-magecart-card-skimmer-found-on-hundreds-of-stores/" target="_blank" rel="noopener nofollow">upload their code to an unused GitHub project</a>. The criminals try to take ownership of the project and then publish a “new” version of the code that contains the malware. This has a direct benefit of quickly getting malware in active use across thousands of websites. Security tools might not scan code from GitHub, so criminals can hide in plain sight and get away with the compromised project.</p>
<p>In at least the British Airways hack, Magecart tailored the attack to the specific system, according to various reports. This included how the airline’s payment pages were constructed, meaning that they were targeted specifically.</p>
<p>Magecart showed that it is willing to evolve further with its MyPillow website attack. MyPillow discovered and removed their original malware quickly, but Magecart retained access to the site according to <a href="https://www.trendmicro.com/en_us/research/19/a/new-magecart-attack-delivered-through-compromised-advertising-supply-chain.html" target="_blank" rel="noreferrer noopener">a 2019 report from Trend Micro</a>. A second attack changed tactics where the attackers placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts. The Magecart attackers went even further by proxying the standard script returned from the real LiveChat service and appended the skimmer code below it.</p>
<p>Three of the 2019 and 2020 Magecart skimmers targeted the open-source WooCommerce plugin for WordPress, which is popular among online retailers. These skimmers were:</p>
<ul class="wp-block-list">
<li>WooTheme: This skimmer is simple and easy to use. Its code is typically obfuscated to avoid detection.</li>
<li>Slect: This skimmer gets its name from a misspelling of the word “select” that helped researchers discover it. It’s another simple skimmer and believed to be a variation of the Grelos skimmer.</li>
<li>Gateway: This skimmer uses multiple layers and steps to obfuscate its processes and avoid detection.</li>
</ul>
<h2 class="wp-block-heading" id="how-magecart-has-evolved">How Magecart has evolved</h2>
<p>Analysts from RiskIQ and Flashpoint combined forces in 2018 and <a href="https://www.riskiq.com/wp-content/uploads/2018/11/RiskIQ-Flashpoint-Inside-MageCart-Report.pdf" target="_blank" rel="noreferrer noopener nofollow">published a report</a> that dissects Magecart’s code and its methods of compromise. They continue to track at least six different hacking groups that are actively developing versions of the malware, adding various enhancements and trickery. Each group has its own distinctive code signature and methods so that researchers can classify them. That research has found a series of improvements in this malware family.</p>
<ul class="wp-block-list">
<li><strong>Movement beyond Magento with new plug-ins.</strong> The attack on the Shopper Approved website was significant. Most of the Magecart efforts have involved compromises to the Magento shopping cart. This one leveraged the vendor’s customer scoring plug-in to rate various websites, which then displays a badge of honor. Researchers found that the malware was eventually deployed across more than 7,000 ecommerce sites. Once researchers identified the source of the infection, Shopper Approved moved quickly to remove the malware.</li>
<li><strong>Using ad servers</strong>. A second direction is still attacking shopping carts, but using a new method to infect advertising banners, so that ad servers will place Magecart code into a webserver. Once a user views the ad in a browser, the code is downloaded to their computer. The malware code can also be hosted by a compromised server.</li>
</ul>
<ul class="wp-block-list">
<li><strong>Using more targeted and more elaborate attacks.</strong> This shows a movement away from spraying malware widely and spending time with potential victims to study their coding and infrastructure. This is what happened with British Airways, when hackers were able to take advantage of the logic flow of their internal applications. Researchers were able to track 22 lines of code of an infected script that dealt with the British Airways baggage claim information page and came to the conclusion that they were seeing a <a href="https://www.csoonline.com/article/565192/what-is-xss-cross-site-scripting-attacks-explained.html">XSS</a> attack that <a href="https://www.wired.com/story/british-airways-hack-details/" target="_blank" rel="noreferrer noopener nofollow">compromised the British Airways’ own servers</a>. Magecart was able to steal data that wasn’t stored on the British Airways-owned servers. They found the modifications because of an odd circumstance: The last time any of the baggage scripts had been modified prior to the breach was in December 2012.</li>
<li><strong>Dual exfiltration and payment form injection.</strong> <a href="https://threatpost.com/emerging-makeframe-skimmer-magecart-smbs/154374/">RiskIQ documented in 2021</a> the past and current activities of a Magecart group it calls Group 7 that has been operating since 2018. The group started out with a skimmer dubbed MakeFrame skimmer that they tested and constantly improved using victims’ websites. This skimmer stood out because it used dual data exfiltration paths to both compromised sites and actor-controlled servers. The researchers have managed to link more recent attacks with a skimmer dubbed Bom to Magecart Group 7. The new skimmer, which has been in use since last year and has been documented by other security firms as well, seems to be a predecessor to MakeFrame and shares similarities with it. Like MakeFrame, Bom uses dual exfiltration paths and even injects its own rogue payment forms into the compromised sites.</li>
<li><strong>Hiding its script in image files. </strong>This 2022 <a href="https://www.microsoft.com/en-us/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/">research from Microsoft</a> shows how images contain malicious code.</li>
</ul>
<h2 class="wp-block-heading" id="supply-chain-attack-mitigation-and-prevention-methods">Supply chain attack mitigation and prevention methods</h2>
<p>While hackers can use sophisticated techniques to plant and hide skimmers, website owners with limited resources should not despair. There are free website scanners online that can help spot suspicious connections opened by scripts like Magecart and browser developer tools that can help analyze their contents.</p>
<p>Researchers from Trustwave SpiderLabs <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/anyone-can-check-for-magecart-with-just-the-browser/" rel="nofollow">published a guide</a> with detailed information on how such investigations can be performed as well as a list of useful tools specifically designed for detecting and fixing Magecart infections. Web technologies like Content Security Policy (CSP) and Sub Resource Integrity (SRI) can also be used to protect website visitors, as they can be used to restrict where scripts are loaded from and to protect their integrity.</p>
<p>These best practices will help harden your networks and try to stop Magecart and other supply chain attacks.</p>
<ul class="wp-block-list">
<li>Think about first identifying all your third-party ecommerce and online advertising vendors. You could require them to do self-assessments of their code or other audits.</li>
<li>Implement <a href="https://www.troyhunt.com/protecting-your-embedded-content-with-subresource-integrity-sri/" target="_blank" rel="noopener nofollow">subresource integrity </a>so that modified scripts are not loaded without your permission. This will require a concerted education of your devops teams and a thorough code review to track down these scripts.</li>
<li>Host as many of your third-party scripts on your own servers as you can rather than on any of your suppliers’ servers. That is more easily said than done, given that the average ecommerce webpage has dozens of third-party sources.</li>
<li>Vet your endpoint protection provider and determine if they can stop Magecart and other third-party compromise attacks.</li>
<li>Make sure your cyber insurance covers this type of compromise.</li>
<li>Review and revise your security policies to include the same treatment of your contractors and suppliers, as if they are full-time employees working directly for your corporation. This is one reason why the supply chain attacks work, because the hackers are counting on less-than-stellar security applying to these workers.</li>
<li>If you are using WordPress, make sure you continue to update to the most recent version. Since v5.2 it specifically screens and tries to prevent supply chain attacks being used across their plug-in library.</li>
</ul>
<p><em>Editor’s note: This article, originally published on June 6, 2019, has been reviewed and updated in 2021 and 2025.</em></p>
<p></p>
</div></div></div></div>
https://www.csoonline.com/article/567335...-data.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<h2 class="wp-block-heading" id="magecart-definition">Magecart definition</h2>
<p>Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a <a href="https://www.csoonline.com/article/561323/supply-chain-attacks-show-why-you-should-be-wary-of-third-party-providers.html" target="_blank">supply chain attack</a>. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT.</p>
<p>Shopping carts are attractive targets because they collect payment information from customers: if your <a href="https://www.csoonline.com/article/565999/what-is-malware-viruses-worms-trojans-and-beyond.html">malware</a> can tap into this data stream, you have a ready-made card collection tool. Almost all ecommerce sites that use shopping carts don’t properly vet the code that is used with these third-party pieces — a recipe for a ready-made hack.</p>
<p>Magecart is known to have been active since 2016 and is still quite prolific. RiskIQ has found evidence of its exploits going back to 2010. RiskIQ was acquired by Microsoft in 2021 and folded into Microsoft’s own threat research. Unfortunately, much of the original research isn’t available, although this <a href="https://www.riskiq.com/wp-content/uploads/2019/10/RiskIQ-Magecart-The-State-of-a-Growing-Threat-100419a.pdf">2019 report gives a very comprehensive view</a> of the malware’s activities. The malware group’s activities intensified in 2018, and researchers saw hourly alerts for websites being compromised by its skimmer code. That earned Magecart a spot on Wired magazine’s list of <a href="https://www.wired.com/story/most-dangerous-people-on-internet-2018/" target="_blank" rel="noreferrer noopener">Most Dangerous People On The Internet In 2018</a>.</p>
<p>In 2023, Akamai researchers tracked new developments designed to <a href="https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains">steal personal data from ecommerce websites</a> and <a href="https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer">abusing web error pages</a>. In the first case, the Magecart attackers hijack legitimate websites to act as makeshift command and control servers, which act in turn as distribution centers for malicious code, effectively hiding the attack behind a legitimate domain. The second link describes subverting the 404 error page messages by injecting malware-laced code. Both situations add a further layer of obfuscation making Magecart harder to detect.</p>
<p> Other Magecart attacks include:</p>
<ul class="wp-block-list">
<li><a href="https://www.csoonline.com/article/566287/british-airways-hack-was-by-same-group-that-compromised-ticketmaster.html" target="_blank">Ticketmaster’s UK operations</a> (January 2018)</li>
<li><a href="https://www.csoonline.com/article/566287/british-airways-hack-was-by-same-group-that-compromised-ticketmaster.html">British Airways</a> (August 2018)</li>
<li><a href="https://www.zdnet.com/article/magecart-claims-another-victim-in-newegg-merchant-data-theft/">NewEgg electronics retailer</a> (September 2018)</li>
<li><a href="https://www.darkreading.com/application-security/magecart-attempted-supply-chain-attack-against-shopper-approved">Shopper Approved</a> (September 2018)</li>
<li><a href="https://www.csoonline.com/article/567059/magecart-payment-card-skimmer-gang-returns-stronger-than-ever.html">MyPillow</a> (October 2018)</li>
<li><a href="https://www.bleepingcomputer.com/news/security/toppscom-sports-collectible-site-exposes-payment-info-in-magecart-attack/" target="_blank" rel="noreferrer noopener">Topps sports collectable website</a> (November 2018)</li>
<li><a href="https://sansec.io/research/atlanta-hawks-magecart" target="_blank" rel="noreferrer noopener">Atlanta Hawks fan merchandise online store</a> (April 2019)</li>
<li>Hundreds of <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/" target="_blank" rel="noreferrer noopener">college campus bookstores</a> (April 2019)</li>
<li><a href="https://www.tripwire.com/state-of-security/featured/forbes-subscribers-magecart-threat-skimming-credit-card-details/" target="_blank" rel="noreferrer noopener">Forbes magazine subscribers</a> (May 2019)</li>
<li><a href="https://www.techradar.com/news/nutribullet-website-hit-by-magecart-hackers" target="_blank" rel="noreferrer noopener">NutriBullet</a> (February 2020)</li>
<li><a href="https://www.bleepingcomputer.com/news/security/wordpress-malware-finds-woocommerce-sites-for-magecart-attacks/" target="_blank" rel="noreferrer noopener">WordPress/WooCommerce attacks</a> (May 2020)</li>
<li>Favicon code injection attack (May 2021)</li>
<li>Targeting reCAPTCHA (August 2021)</li>
<li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-state-of-magecart-a-persistent-threat-to-e-commerce-security/">Exploiting Google Tag Manager</a> and using a new vulnerability in Magento to deploy its skimmer code (2024)</li>
</ul>
<h2 class="wp-block-heading" id="how-magecart-works">How Magecart works</h2>
<p>Typically, the Magecart hacker substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware. <a href="https://www.darkreading.com/attacks-breaches/criminals-use-one-line-of-code-to-steal-card-data-from-e-commerce-sites/d/d-id/1334173" rel="noopener nofollow" target="_blank">Researchers have identified nearly 40 different</a> code-injection exploits. The only way to detect this is to compare the entire ecommerce code stack line-by-line and see what has changed.</p>
<p>Its overall attack process has gotten very sophisticated, using a series of steps to hide its presence and deploy a variety of techniques to exfiltrate data.</p>
<p>One clever way for attackers to host their malware (and, sadly, not limited to just Magecart attacks) is to <a href="https://www.bleepingcomputer.com/news/security/github-hosted-magecart-card-skimmer-found-on-hundreds-of-stores/" target="_blank" rel="noopener nofollow">upload their code to an unused GitHub project</a>. The criminals try to take ownership of the project and then publish a “new” version of the code that contains the malware. This has a direct benefit of quickly getting malware in active use across thousands of websites. Security tools might not scan code from GitHub, so criminals can hide in plain sight and get away with the compromised project.</p>
<p>In at least the British Airways hack, Magecart tailored the attack to the specific system, according to various reports. This included how the airline’s payment pages were constructed, meaning that they were targeted specifically.</p>
<p>Magecart showed that it is willing to evolve further with its MyPillow website attack. MyPillow discovered and removed their original malware quickly, but Magecart retained access to the site according to <a href="https://www.trendmicro.com/en_us/research/19/a/new-magecart-attack-delivered-through-compromised-advertising-supply-chain.html" target="_blank" rel="noreferrer noopener">a 2019 report from Trend Micro</a>. A second attack changed tactics where the attackers placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts. The Magecart attackers went even further by proxying the standard script returned from the real LiveChat service and appended the skimmer code below it.</p>
<p>Three of the 2019 and 2020 Magecart skimmers targeted the open-source WooCommerce plugin for WordPress, which is popular among online retailers. These skimmers were:</p>
<ul class="wp-block-list">
<li>WooTheme: This skimmer is simple and easy to use. Its code is typically obfuscated to avoid detection.</li>
<li>Slect: This skimmer gets its name from a misspelling of the word “select” that helped researchers discover it. It’s another simple skimmer and believed to be a variation of the Grelos skimmer.</li>
<li>Gateway: This skimmer uses multiple layers and steps to obfuscate its processes and avoid detection.</li>
</ul>
<h2 class="wp-block-heading" id="how-magecart-has-evolved">How Magecart has evolved</h2>
<p>Analysts from RiskIQ and Flashpoint combined forces in 2018 and <a href="https://www.riskiq.com/wp-content/uploads/2018/11/RiskIQ-Flashpoint-Inside-MageCart-Report.pdf" target="_blank" rel="noreferrer noopener nofollow">published a report</a> that dissects Magecart’s code and its methods of compromise. They continue to track at least six different hacking groups that are actively developing versions of the malware, adding various enhancements and trickery. Each group has its own distinctive code signature and methods so that researchers can classify them. That research has found a series of improvements in this malware family.</p>
<ul class="wp-block-list">
<li><strong>Movement beyond Magento with new plug-ins.</strong> The attack on the Shopper Approved website was significant. Most of the Magecart efforts have involved compromises to the Magento shopping cart. This one leveraged the vendor’s customer scoring plug-in to rate various websites, which then displays a badge of honor. Researchers found that the malware was eventually deployed across more than 7,000 ecommerce sites. Once researchers identified the source of the infection, Shopper Approved moved quickly to remove the malware.</li>
<li><strong>Using ad servers</strong>. A second direction is still attacking shopping carts, but using a new method to infect advertising banners, so that ad servers will place Magecart code into a webserver. Once a user views the ad in a browser, the code is downloaded to their computer. The malware code can also be hosted by a compromised server.</li>
</ul>
<ul class="wp-block-list">
<li><strong>Using more targeted and more elaborate attacks.</strong> This shows a movement away from spraying malware widely and spending time with potential victims to study their coding and infrastructure. This is what happened with British Airways, when hackers were able to take advantage of the logic flow of their internal applications. Researchers were able to track 22 lines of code of an infected script that dealt with the British Airways baggage claim information page and came to the conclusion that they were seeing a <a href="https://www.csoonline.com/article/565192/what-is-xss-cross-site-scripting-attacks-explained.html">XSS</a> attack that <a href="https://www.wired.com/story/british-airways-hack-details/" target="_blank" rel="noreferrer noopener nofollow">compromised the British Airways’ own servers</a>. Magecart was able to steal data that wasn’t stored on the British Airways-owned servers. They found the modifications because of an odd circumstance: The last time any of the baggage scripts had been modified prior to the breach was in December 2012.</li>
<li><strong>Dual exfiltration and payment form injection.</strong> <a href="https://threatpost.com/emerging-makeframe-skimmer-magecart-smbs/154374/">RiskIQ documented in 2021</a> the past and current activities of a Magecart group it calls Group 7 that has been operating since 2018. The group started out with a skimmer dubbed MakeFrame skimmer that they tested and constantly improved using victims’ websites. This skimmer stood out because it used dual data exfiltration paths to both compromised sites and actor-controlled servers. The researchers have managed to link more recent attacks with a skimmer dubbed Bom to Magecart Group 7. The new skimmer, which has been in use since last year and has been documented by other security firms as well, seems to be a predecessor to MakeFrame and shares similarities with it. Like MakeFrame, Bom uses dual exfiltration paths and even injects its own rogue payment forms into the compromised sites.</li>
<li><strong>Hiding its script in image files. </strong>This 2022 <a href="https://www.microsoft.com/en-us/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/">research from Microsoft</a> shows how images contain malicious code.</li>
</ul>
<h2 class="wp-block-heading" id="supply-chain-attack-mitigation-and-prevention-methods">Supply chain attack mitigation and prevention methods</h2>
<p>While hackers can use sophisticated techniques to plant and hide skimmers, website owners with limited resources should not despair. There are free website scanners online that can help spot suspicious connections opened by scripts like Magecart and browser developer tools that can help analyze their contents.</p>
<p>Researchers from Trustwave SpiderLabs <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/anyone-can-check-for-magecart-with-just-the-browser/" rel="nofollow">published a guide</a> with detailed information on how such investigations can be performed as well as a list of useful tools specifically designed for detecting and fixing Magecart infections. Web technologies like Content Security Policy (CSP) and Sub Resource Integrity (SRI) can also be used to protect website visitors, as they can be used to restrict where scripts are loaded from and to protect their integrity.</p>
<p>These best practices will help harden your networks and try to stop Magecart and other supply chain attacks.</p>
<ul class="wp-block-list">
<li>Think about first identifying all your third-party ecommerce and online advertising vendors. You could require them to do self-assessments of their code or other audits.</li>
<li>Implement <a href="https://www.troyhunt.com/protecting-your-embedded-content-with-subresource-integrity-sri/" target="_blank" rel="noopener nofollow">subresource integrity </a>so that modified scripts are not loaded without your permission. This will require a concerted education of your devops teams and a thorough code review to track down these scripts.</li>
<li>Host as many of your third-party scripts on your own servers as you can rather than on any of your suppliers’ servers. That is more easily said than done, given that the average ecommerce webpage has dozens of third-party sources.</li>
<li>Vet your endpoint protection provider and determine if they can stop Magecart and other third-party compromise attacks.</li>
<li>Make sure your cyber insurance covers this type of compromise.</li>
<li>Review and revise your security policies to include the same treatment of your contractors and suppliers, as if they are full-time employees working directly for your corporation. This is one reason why the supply chain attacks work, because the hackers are counting on less-than-stellar security applying to these workers.</li>
<li>If you are using WordPress, make sure you continue to update to the most recent version. Since v5.2 it specifically screens and tries to prevent supply chain attacks being used across their plug-in library.</li>
</ul>
<p><em>Editor’s note: This article, originally published on June 6, 2019, has been reviewed and updated in 2021 and 2025.</em></p>
<p></p>
</div></div></div></div>
https://www.csoonline.com/article/567335...-data.html