Magecart was the malware behind the British Airways and Ticketmaster data breaches a few years back and, unfortunately, it’s still alive and well. In fact, the latest victim appears to be OXO, a consumer household goods brand.
Magecart injects malicious Javascript onto websites hosted from compromised servers. This Javascript runs in clients’ web browsers whenever they visit the website and skims consumer credit card numbers, sending them to the attacker’s server. The attackers continually update the domain names they use to host these scripts to evade detection.
Luckily, researchers are continuing to hunt for Magecart and it’s easy to detect the compromise by looking for links to this malicious code. We saw a tweet the other day that prompted us to run a quick search:
Stopping Magecart
Beyond website security features like segregated rights and permissions and application security practices and updates, the browser can be leveraged to defend the end user’s data. The subresource integrity (SRI) feature allows you to cryptographically fingerprint scripts that you link to and force the loaded code to match before it executes. While this wouldn’t prevent a website’s alteration, it would prevent the code from running on the client, effectively blocking Magecart and similar malware.
A second browser defense mechanism to take advantage of is the content security policy(CSP) feature in modern browsers, which lets the website owner control what client-side code has rights to run when loaded from the website. CSP has a number of controls that will help ensure the integrity of the scripts presented by the website to the client.