If feels like news stories about a massive data breach are almost a weekly fixture these days. One recent incident involving Ticketmaster UK stood out, though, because of the name attached to it: Magecart.
The first thing to understand is Magecart is not the name of a group or anything like that. Magecart is the name investigators applied to a massive, worldwide campaign carried out by fraudsters since 2015. The name comes from the mage.js file used to perpetrate the attacks.
The Ticketmaster hack may have exposed 5% of the company’s global userbase—tens of thousands of customers—to a digital card skimming plot. How did fraudsters manage to pull off this attack, and what can it teach us about the current state of data security?
How Does the Magecart Script Work?
Unlike other hacks that attempt to steal stored information, the Magecart JavaScript allows fraudsters to steal payment information in real time. Their aim is to inject malicious JavaScript into eCommerce sites to remotely “skim” card numbers entered during checkout. It’s like a wiretap; the script captures live payment information, then funnels it to a collection server. The data can be used to make purchases, or it can be sold in bulk to other fraudsters.
This method is clever in its simplicity, but breaches are usually simple to plug…once they’re discovered, that is.
The problem is that they take a long time to detect, because while these fraudsters are focused on attacking retailers, they’re not doing it directly. The way they work is to move up the supply chain and attack third parties that work with the retailer. The malicious script infects one business, but the negative impact gets passed on to another.
The result: the average time required to identify a mega-breach (more than 1 million compromised records) was 365 days, according to a study published by IBM. Fraudsters could siphon off the merchant’s customer data without their knowledge for months after an attack like the Magecart script.
Investigators already found the malicious code buried in more than 800 eCommerce sites. However, there could be hundreds, or even thousands more out there waiting to be uncovered. Even sellers who are PCI compliant and dispose of information properly are still vulnerable because of their third-party relationships.
Who’s Responsible for Hacks?
So…who bears the responsibility for these kinds of attacks: the merchant, or their supplier?
Even though it’s not really the merchant’s fault, they’re the ones who will inevitably get stuck with the blame. Every major security breach becomes associated with the consumer-facing brand it’s tied to: Ticketmaster, Equifax, Target, etc.
Who takes the heat is an important concern from a PR perspective, but the real-world financial impact will hurt, too. That same IBM study mentioned above revealed the average cost per data breach is now at $3.86 million!
Here’s the bottom line: a data skimming attack like the Magecart script is very difficult to prevent and to detect event once it starts. The best chance online retailers and other businesses have against these threats is to be proactive.
Take Action Against Fraud
I’ve outlined four fundamentals that every merchant needs to help protect themselves and mitigate risk, including:
- Encrypt All Data: Encrypted data is useless without the key. Merchants can encrypt data as it is entered and transmitted, preventing it from being easily read by skimmers.
- Assess Vulnerability: Businesses should run regular scans on all external-facing hosts and cloud environments. This will help pinpoint potential access points.
- Watch for Indicators: Performing a full scan of all systems in a network whenever a new breach comes to light allows businesses to see if they’ve been hit as well. For example, any script with the webfotce.me domain indicates a Magecart breach.
- Comprehensive Loss Prevention: You need comprehensive protection against a dynamic range of threats. A data breach is just one of countless loss sources facing your business.
I want to elaborate on that last point, too. While it’s true that malicious attacks cause 48% of all data breaches, the remaining 52% are due to human error and system glitches. That carries over into a lot of different aspects of loss prevention.
For example, let’s compare data breaches to chargebacks, a process that cost merchants at least $31 billion in 2017. Fewer than 10% of all chargebacks are caused by genuine criminal fraud; most result from either friendly fraud, merchant error, or “cyber shoplifting.”
Just about every fundamental loss source has multiple different causes. Addressing all of them demands a multilayer approach to fraud, with complementary tools and strategies that work together to filter out as many threats as possible. Think of it like a mesh; each tool is a different strand, but when properly woven together, they can filter out fraud attempts while still allowing legitimate transactions to pass through.
It doesn’t matter whether you’re concerned by the Magecard hack, or simply want to better end-to-end fraud coverage. You need to address pre-transactional activity like data skimming attacks and post-transactional activity as part of a coordinated strategy. That’s the only way to ensure true fraud protection.
Monica Eaton-Cardone is an entrepreneur and business leader with expertise in technology, e-Commerce, risk relativity and payment-processing solutions. She is COO of Chargebacks911 and CIO of its parent company Global Risk Technologies.