How to Protect your Systems from the Latest Magecart Malware Attacks

October 31, 2016 Payments
Atit Shah
By Atit Shah, Head of Security
Atit Shah
By Atit Shah, Head of Security

In recent months, we’ve noticed an uptick in the number of eCommerce platforms that have been affected by a new type of malware known as “Magecart”. Magecart malware is a JavaScript file added to a compromised website’s source code in an effort to steal payment card and other sensitive information. While none of our platform partners have reported any Magecart attacks to date, we take security very seriously and work to ensure you always have access to the latest information and findings needed to keep your systems safe. Read on to learn more about Magecart, including best practices for what to do to protect your platform from malware infections.

How it works

Magecart infections occur in two steps. First, the script checks if the user is on the checkout page. Once the user reaches the URL specific to each platform’s checkout page, the Magecart script proceeds to load the keylogger component. During this second step, a keylogger JavaScript code is injected and used to capture data the user enters in form fields. The collected data is then routed to a remote server under the cybercriminal’s control.

Security professionals have observed that the two scripts are loaded from domains that change from infection to infection, a tactic cybercriminals use to cover their tracks. All scripts load via HTTPS and the data is extracted via HTTPS. If the checkout form doesn’t collect all the information the hacker wants, Magecart can add input fields to the platform’s checkout form in order to get all that the cybercriminal seeks.

Accessing your risk

As all known attacks have targeted eCommerce platforms that host their own checkout forms, platforms using WePay’s iFrame or embedded checkout are considered low risk. Attacks on iFrames are unlikely because they are easier to detect than a compromise involving a custom UX checkout. Platforms using custom checkout or that have server-to-server integrations in place are strongly encouraged to adhere to and implement the following best practices to mitigate risk of malware infection.

Best Practices

While geared towards platforms using custom checkout or that have server-to-server integrations in place, all platforms are encouraged to align internal security measures with the following best practices for early malware detection and prevention.

  • Monitor any suspicious changes to JavaScript files that are loaded into client browsers to collect payment information. Typically, the JavaScript files should reference the external domain that is hosting the keylogging malware. Follow your Security Incident Procedure and notify WePay if any suspicious modifications are observed.
  • Follow industry best practices such as OWASP Top 10 to enhance the security of your web application.
  • Bolster the security of your network and systems and validate them using vulnerability management solutions.
  • Implement Multi-Factor Authentication (MFA) for remote access to critical production systems.  

Our security team is standing by if you have any questions about this advisory. Please email or consult RiskIQ for additional information about Magecart.

About the author

Atit Shah

Atit Shah, Head of Security

Atit Shah is Head of Security for WePay. He has more than 11 years of combined experience in technology, security and leadership. Prior to WePay, he held security-related positions at Microsoft, Deloitte, and Ernst & Young.

More blog posts by Atit Shah