Addressing Magecart

The notorious hacking group Magecart surfaced back in 2018, terrorizing websites with an attack known as card skimming. Normally, hacking groups tend to come and go quickly, but Magecart hit a serious nerve with their targeted breaches of enterprise websites and web applications. Wide ranges of companies saw their sites formjacked, and solutions were not immediately evident to most victims. So, I’ve been intrigued by Magecart for some time.

Now, I first met the fine team at Tala Security last year, and blogged about their advanced solutions for preventing web fraud. They were kind enough recently to take me through their security solution for Magecart-type attacks, and I found the discussion compelling and important. My notes below are offered to help raise awareness to the threat and to explain how Tala Security goes about addressing the risk in a clear manner.

The classic man-in-the-middle attack from Magecart is actually quite simple to explain: It begins with malicious code added to the JavaScript served to clients from a website. The malicious code then watches for and collects sensitive data such as credit card information from legitimate users visiting the site with their browser. The data is exfiltrated to a malicious drop site and is unloaded in the usual illegal manner. It’s that simple.

The nagging issue, however, is that common security tools don’t mitigate this MITM attack. Web application firewalls (WAFs), for example, don’t see the JavaScript activity happening inside the browser and have no means for scanning libraries for code insertions. And when this attack is served from third or fourth-party services integrated onto a site, the cascading result is something the Tala Security team described to me as piggy-backing.

The solution that Tala Security offers is based on the use of browser-native security controls, which offer security without compromising performance. One of these native security controls is something known as content security policy which was first published in 2012 to create and manage client-side protections. This security technical approach is already being used by the likes of Google to protect their apps.

The goal of content security policies is to provide policy-based mitigation of fine-grained behavior for all third-party sources where content is being served. They were immediately useful in addressing problems such as cross-site scripting and clickjacking. The Tala Security platform employs the method to address web fraud – and this includes watching for any data collection suggestive of the attacks used by Magecart and similar groups.

Client browser mitigation is implemented by Tala Security based on artificial intelligence-based classification and learning. The software seems to install quickly and easily, and doesn’t appear to require any additional agents. The Tala Security team shared implementation use-cases for Apache and Nginx. I have not personally run the software, but their demos are slick and the performance and latency impacts are reported to be minimal.

As an analyst, I like when a platform elegantly addresses a nagging threat. Too many security products look like solutions in search of a problem, so it’s refreshing to see risk reduction for an attack that is actually involved in crimes. So, if you worry about sensitive data being input to your website and web application, then give the Tala Security team a call. I liked what I saw, and I suspect that you will too.