What is the digital supply chain, and why is it risky?

The digital supply chain refers to the chain of third-party digital tools, services and infrastructure that is depended on for a particular first-party service (such as your website or SaaS platform). In an ever-changing digital landscape, supply chains can be brittle with many unseen risks.

The nature of supply chain risk is transitive; any part of the often long and complicated digital supply chain can be compromised, causing all components downstream of it to also be compromised. This means the whole system is only as secure as its weakest link.

Some examples of significant digital supply risks are web skimming, asset hijacking, mail hijacking and nameserver hijacking. In this article we will dive deep into Magecart, and how Magecart attacks evolved from simple first party compromise to exploiting the supply chain to compromise many targets at a time.

What is Magecart?

Magecart is a term describing a loose association of web skimming malware and attacks on eCommerce websites to steal credit card details and other sensitive information. It’s such a popular attack that it’s sometimes used as a verb of its own on headlines (“XYZ company got ‘Magecarted'”).

The many groups of Magecart operators distribute their malware in a variety of ways, constantly evolving and innovating to evade protections and infect more victims. In this blog post we will take a dive into how these attacks work and ways to prevent Magecart attacks and protect your website against them.

Methods of intrusion

Magecart is not one, but many groups of attackers. Much like the ransomware landscape, Magecart operators utilize different tactics, techniques and procedures (TTPs) to achieve a similar goal: to steal your customer’s financial information.

Automated first-party magecart vulnerability exploitation

Magecart’s origins started from attacking the popular eCommerce software Magento (hence the name). The Magecart attackers exploited vulnerabilities in Magento (such as SQL injection and PHP object injection vulnerability) and its plugins to gain access to the site, and maintain persistence through uploading webshells (a type of script-based malware hosted on a website to execute commands). From there, they could edit web pages on the server to deploy malware.

A Magento 1 exploit kit for sale for $5000

One of the largest waves of automated Magento attacks back in 2020 compromised 1,904 shopping sites in just 4 days. Magecart exploited vulnerability(s) in out-of-date Magento version 1 sites that were no longer receiving security updates since the version reached end-of-life. Similar attacks, with exploit kits for sale, continue to proliferate for newer versions of Magento in 2022 with template injection attacks.

Compromising third-party infrastructure

Eventually attackers realized that they could have far wider reach and achieve more bang for their buck by attacking popular third-party services that are used by many different websites. One example of such an attack is going after misconfigured S3 buckets.

Image source

S3 is a storage service offered by Amazon Web Services (AWS) to store and host files, and is often used by websites to store and serve static content such as images and javascript. Some of these S3 buckets are misconfigured to allow public writing instead of reading, meaning the attackers could download the hosted JS files used by the website, append their malicious code at the end, and re-upload them. In a wide “shotgun” approach back in 2019, Magecart attackers infected over 17,000 domains using this technique.

Source: Trend Micro

Besides attacking cloud infrastructure, Magecart also goes after vulnerabilities in providers of third-party embedded scripts. One example target is online advertising company Adverline, which Magecart attackers compromised to inject malware into a Javascript library used by it to serve ads. More than 7000 websites were compromised using this technique.

Source: Trend Micro

Big game hunting: careful targeting and sophisticated evasion

Along with the increased targeting of third party providers, Magecart attackers are also going after larger targets with more careful targeting for maximum profit. One of the highest profile Magecart incidents is the British Airways breach, which victimized 380,000 customers with just 22 lines of code (it was just a single line of code, but becomes 22 lines when expanded and pretty-printed).

The small 22-line custom Magecart implant with a realistic looking domain and API endpoint (source)

The attackers were carefully prepared, and hid their payload in an inconspicuous, old Javascript library file. They registered a lookalike domain baways.com a week before the actual attack took place, and purchased a SSL certificate from Comodo instead of getting a normal, free certificate from Letsencrypt to make the website look more legitimate. The payload planted worked both on the British Airways website as well as the mobile app, since the mobile app also loaded Javascript from the same location. Since the code was tailor made for its victim, it wasn’t easily detected.

Preventing Magecart attacks: auditing and untangling your digital supply chain

From first-party web plugins to third-party cloud infrastructure, Javascript libraries and embedded ads, the supply chain for websites are tangled and complex and riddled with vulnerabilities that Magecart hackers exploit.. How can we protect our websites against magecart? A single line of code anywhere in that chain could compromise the whole site.

The answer to Magecart protection and mitigation lies in external attack surface management (EASM) of digital assets. What versions of backend software is your website running? What frameworks are used? Are the plugins up to date? Are any of the plugins malicious or suspicious? What third-party Javascript is being loaded?

Privacy badger from EFF showing third party trackers that a website tried to load

Starting with the most critical assets (such as the page displaying payment forms), start to untangle all of that mess. In a large organization, this may need to be a cross-functional effort involving teams from various departments such as software development, marketing, IT, security and vendor procurement. Keep documentation for components up to date, and get rid of any unnecessary dependencies to reduce attack surface.

One thing is clear – you can’t afford to ignore the digital supply chain. To lower the risk, it’s crucial to gain full visibility into your existing external attack surface. Adopt tools like IONIX that can thoroughly inventory your own environments, including visibility into your 3rd, 4th and Nth degree suppliers. To understand how IONIX helps reduce digital supply chain risk, read the case study of E.ON here.

Conclusion

Web security is an ever evolving and complex space, and threats such as Magecart will continue to evolve and change. The only way to secure all your digital assets is to increase visibility of your attack surface – you can’t protect what you can’t see. You can leverage attack surface management platforms, like IONIX, which takes a proactive approach to identifying and mitigating risks posed by vulnerable, compromised or malicious web components. To see IONIX in action, request a scan today.