Web skimming

Not to be confused with form grabbing.

Web skimming, formjacking or a magecart attack is an attack where the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.^[1][2]

Mitigation

Subresource Integrity or a Content Security Policy can be used to protect against formjacking, although this does not protect against supply chain attacks. A web application firewall can also be used.^[2][3]

Prevalence

A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack.^[4] In 2018, British Airways had 380,000 card details stolen in via this class of attack.^[5] A similar attack affected Ticketmaster the same year with 40,000 customers affected^[6] by maliciously injected code on payment pages.

Magecart

Magecart is software used by a range^[7] of hacking groups for injecting malicious code into ecommerce sites to steal payment details.^[8] As well as targeted attacks such as on Newegg,^[9] it's been used in combination with commodity Magento extension attacks.^[10] The 'Shopper Approved' ecommerce toolkit utilised on hundreds of ecommerce sites was also compromised by Magecart^[11] as was the conspiracy site InfoWars.^[12]

According to Malwarebytes, the Magecart software has tried to avoid detection by using the WebGL API to check whether a software renderer such as "swiftshader", "llvmpipe" or "virtualbox" is used. That would indicate that the software is running in a virtual machine and that the user is not a real world victim.^[13]

References

1. Reddy, Niranjan (2019). Practical Cyber Forensics : an Incident-Based Approach to Forensic Investigations. Berkeley, CA. ISBN 978-1-4842-4460-9. OCLC 1110377452.
2. "You Need to Protect Your Website Against Formjacking Right Now". PCMag. Retrieved 2021-05-20.
3. Wueest, Candid. "Internet Security Threat Report - Formjacking: How Malicious JavaScript Code is Stealing User Data from Thousands of Websites Each Month". Symantec.
4. Ismail, Nick (13 October 2016). "Stowaways: malicious skimming code hiding in almost 6,000 online shops". Retrieved 9 December 2018.
5. Whittaker, Zack (11 September 2018). "British Airways breach caused by credit card skimming malware, researchers say". Retrieved 9 December 2018.
6. Priday, Richard (28 June 2018). "The Ticketmaster hack is a perfect storm of bad IT and bad comms". Retrieved 9 December 2018.
7. Whittaker, Zack (13 November 2018). "Meet the Magecart hackers, a persistent credit card skimmer group of groups you've never heard of". Retrieved 9 December 2018.
8. Muncaster, Phil (1 October 2018). "Magecart: Time to Focus on Web Security to Mitigate Digital Skimming Risk". Archived from the original on 10 December 2018. Retrieved 9 December 2018.
9. Osborne, Charlie (19 September 2018). "Magecart claims another victim in Newegg merchant data theft". Retrieved 9 December 2018.
10. Cimpanu, Catalin (23 October 2018). "Magecart group leverages zero-days in 20 Magento extensions". Retrieved 9 December 2018.
11. Leyden, John (9 October 2018). "Payment-card-skimming Magecart strikes again: Zero out of five for infecting e-retail sites". Retrieved 9 December 2018.
12. Blake, Andrew (14 November 2018). "Alex Jones' Infowars store infected with malware capable of skimming payment data". Retrieved 9 December 2018.
13. "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar". Threatpost. Retrieved 2022-04-03.