Multiple Security Holes in E-Commerce Retailer Sites

Multiple Security Holes in E-Commerce Retailer Sites

September 12, 2019

More than 80 global e-commerce sites are reported to be compromised by Magecart groups, according to research released this week. "Magecart" is an umbrella term given to multiple threat groups that use credit card skimming technology to infect e-commerce platforms and websites in order to steal personal and financial information. The group made headlines in 2018 for high-profile mega-breaches of global brands including Ticketmaster, Forbes, British Airways and Newegg.

The research, commissioned by Arxan Technologies and conducted by Aite Group, found 100 percent of the 80 sites discovered had no in-app protection implemented, such as tamper detection or code obfuscation. And, 25 percent of the sites discovered were large, reputable brands in the motorsports industry and luxury apparel.

“Virtual credit card skimmers, [the use of which is] also known as formjacking, are inserted into a web application, often the shopping cart, and are used to steal credit cards to sell on the black market and for shipping scams to traffic goods purchased with stolen cards,” according to a release on the report.

"Once again we're disappointed in what the research uncovered: the systemic lack of web-app protection being used by e-commerce websites and the inability of network and endpoint security solutions to completely protect consumers against this pervasive threat," said Aaron Lint, chief scientist and vice president of research for Arxan.

An estimated 20 percent of websites hit by Magecart become reinfected within five days of remediating the original problem, researchers noted.

"The threat of formjacking is a widespread and growing problem,” said Alissa Knight, cybersecurity analyst for Aite Group and author of the research. “Because so many web applications are lacking in-app protection, adversaries are able to easily debug and read a web app's JavaScript or HTML5 in plain text. Once the web app code is understood, malicious Javascript is then inserted into the web pages of target servers that delivers the web checkout form. Once weaponized, these credential pages will simultaneously send a consumer's credit card information to an off-site server under the control of the Magecart group while also allowing the compromised site to process the credit card so the consumer and the organization is unaware of the theft."

Previous-Article-CNP Next-Article-CNP

Learn more...

New call-to-action

  • Share this Article:
Joan Goodchild