Magecart was the malware behind the British Airways and Ticketmaster data breaches a few years back and, unfortunately, it’s still alive and well. In fact, the latest victim appears to be OXO, a consumer household goods brand.
Magecart injects malicious Javascript onto websites hosted from compromised servers. This Javascript runs in clients’ web browsers whenever they visit the website and skims consumer credit card numbers, sending them to the attacker’s server. The attackers continually update the domain names they use to host these scripts to evade detection.
Luckily, researchers are continuing to hunt for Magecart and it’s easy to detect the compromise by looking for links to this malicious code. We saw a tweet the other day that prompted us to run a quick search:
Finding Magecart
When Censys encounters hosts with port 80 open during a scan, we issue an HTTP GET request for the root page on the server. We parse and index the returned HTTP response into searchable fields, like HTML body and server header. We store that content and allow users to search both headers and the raw HTML content.
Because Magecart operates by injecting malicious Javascript on the root page of websites, it’s easy to search for infected websites through Censys by looking for the known malicious code in the raw HTML we store. We’ve compiled a list of domains associated with Magecart from the Magecart domain list from this OTX pulse, we searched for bodies that matched that GET request with the following query:
https://censys.io/ipv4?q=%22dittm.org%22+OR+%22g-analytics.com%22+OR+%22google-analytics.is%22+OR+%22jquery-js.com%22+OR+%22analytic.is%22+OR+%22google-analytics.cm%22
We manually inspected the results of this query to ensure the HTML in the HTTP(S) body contains a script link to one of those domains and wasn’t just a string match elsewhere in the body, a false positive. If this was a larger set of results, this could be easily automated with a script.
Stopping Magecart
Beyond website security features like segregated rights and permissions and application security practices and updates, the browser can be leveraged to defend the end user’s data. The subresource integrity (SRI) feature allows you to cryptographically fingerprint scripts that you link to and force the loaded code to match before it executes. While this wouldn’t prevent a website’s alteration, it would prevent the code from running on the client, effectively blocking Magecart and similar malware.
A second browser defense mechanism to take advantage of is the content security policy(CSP) feature in modern browsers, which lets the website owner control what client-side code has rights to run when loaded from the website. CSP has a number of controls that will help ensure the integrity of the scripts presented by the website to the client.
