Nowadays, new research shows that all online shopping platforms are targets and need to be monitored against possible compromises of their checkout process, during which hackers might attempt to log and steal payment card data entered in checkout and payment forms.
For example, a report published today by threat intelligence firm RiskIQ details ongoing Magecart attacks against OpenCart and OSCommerce sites, two lesser-known online store solutions.
“Reading through the OpenCart as well as the OsCommerce forums, we can find multiple instances where administrators were able to figure out they were breached,” the company said.
But other platforms have also been targeted. A report published by Group-IB last month also highlighted ongoing attacks against Shopify and (WordPress) WooCommerce-based stores as well.
Sanguine Security’s Willem de Groot also described Magecart attacks specifically targeting WooCommerce platforms last August, in an interview with ThreatPost.
From Magento to …everything else
“Organizations need to understand that skimming groups can prey on any web environment and we see every online shopping platform targeted in our telemetry data,” Yonathan Klijnsma, RiskIQ Threat Researcher, said in a report released today.
The first groups which engaged in these types of attacks used vulnerabilities in the Magento e-commerce platform because at the time, Magento was the most widely used solution, and a perfect attack surface.
But today’s e-commerce store scene is a lot more diverse, with many other e-commerce platforms available to interested store owners.
Furthermore, the number of Magecart hacking groups has also increased, pushing competing gangs towards other platforms in search of new victims.
While the RiskIQ report released today highlights a series of attacks targeting OpenCart-based stores, Magecart groups don’t see themselves as limited to just Magento, WooCommerce, OpenCart, or OSCommerce platforms.
As RiskIQ mentioned in a report last year, these groups aren’t just exploiting Magento vulnerabilities anymore. Some of them, such as threat actors tracked as Magecart group #4, #5, #6, or #12, have evolved from targeting the stores themselves, to targeting their supply-chains (widgets, plugins, or analytics providers used by the stores).
Commercial cloud-based platforms are also at risk
This recent trend of focusing on compromising supply-chain providers also allows these groups to infect a wide variety of platforms, ranging from self-hosted stores to cloud-based platforms such as the ones provided by Magento, Shopify, Wix, Squarespace, X-Cart, OpenCart, and the plethora of other commercially-sold online store solutions.
Of the seven platforms we reached out to, only two responded –namely BigCommerce and Shopify.
This means that neither users nor attackers can tinker with Shopify’s payment card entry and processing scripts in any way unless they compromised Shopify itself.
Similarly, BigCommerce also deploys an array of cyber-security protections “including perimeter and server-specific firewalls, web application firewalls, file integrity monitors, intrusion detection systems, sitewide HTTPS, 24/7 human monitoring and routine penetration testing conducted by PCI-certified information security service providers,” Scott Baker, vice president of IT, security and technical operations at BigCommerce, told ZDNet last year in a two-page document detailing the company’s security practices.
“Though the BigCommerce APIs allow programmatic changes to the scripts included on a BigCommerce store, the checkout page – where these APIs are most commonly in use – includes extra protections that require additional scopes. These scopes can only be listed in our marketplace by PCI-compliant companies, and must be requested by the third-party application at installation. Furthermore, BigCommerce requires that an explicit agreement be signed before the merchant can manually change their checkout scripts,” Baker also added.
Companies like Wix, OpenCart Cloud, Magento, and X-Cart did not return a request for comment. Squarespace did not want to comment.
JS skimming profits on par with ATM skimming
With the price of payment card details obtained from online stores is equalizing with the ones obtained from ATM skimming, attacks on online stores are expected to go on and even grow in intensity.
Furthermore, RiskIQ also sees Magecart groups expanding operations from JS card skimming to collecting additional details, such as login credentials, which can be sold online, as a secondary revenue stream.
“Skimming attacks on any platform is a critical issue because while payment data is currently the focus, we’re already seeing moves to skim login credentials and other sensitive information,” RiskIQ’s Klijnsma also added.
“This widens the scope of potential Magecart victims far beyond e-commerce alone,” the expert said, by allowing Magecart groups to weaponize and monetize JS sniffing code that accidentally and inadvertently lands on websites that don’t include a shopping experience, to begin with.