Hackers are using the COVID-19 crisis to attack with Magecart

June 9th, 2020

During these difficult times, people are increasingly relying on e-commerce. It’s never been more important to defend against Magecart and other client-side attacks, says Tala CEO Aanand Krishnan.

In these difficult times, e-commerce has become a lifeline for both customers and retailers. With-e-commerce sales projected to grow to US$6.54 trillion by 2022, cybercriminals see a bonanza to exploit and are ramping-up their activities to skim credit cards, credentials and PII. 

Right now, less than 1% of website operators are deploying security policies capable of preventing client-side attacks. It has never been more important to take a proactive approach to protecting your website and customers from attacks like Magecart and cross-site scripting (XSS). Where do you start? Let’s take a look at one of the most popular attacks.

Magecart and third-party code exploits

One of the most effective approaches favoured by cybercriminals is magecart, sometimes referred to as formjacking: injecting malicious JavaScript code into a website that allows them to exfiltrate any information entered by the customer: credit card details, banking information, passport numbers, credentials and any personal data. 

Increasingly, attackers are targeting third-party applications and services integrated into websites - such as chat, tags, analytics or e-commerce tools - to launch these attacks. Two million skimmers were identified operating on websites last year alone. 

Monitor, control, protect with comprehensive security standards

What makes this technique so effective is that these attacks can go undetected for months or even years. It all happens on the client-side, in the browser. It doesn’t impede the transaction in any way, so the customer carries on, the retailer receives their payment and no one spots anything. Until they do -  usually when a bank detects an alarming trend of fraud with a common denominator.

The best defense against client-side attacks like these starts with identifying how much third-party code is running on your site. The next layer comes with establishing the norms of behavior for those applications. To detect and block these attacks, your next line of defense comes courtesy of the same group of experts that laid the foundation for all the rich content on today’s modern web: Security Standards, including:

CSP + SRI + HSTS + Referrer Policy + Feature-policy + Trusted Types +Clear-Site-Data = A comprehensive web security strategy built on the expertise of the web’s leading innovators and developers.  This standards-based security framework operates in a state of continuous innovation and enhancement as standards evolve.

Implementing these standards ensures that form data is sent only to the intended source - and that malicious scripts are prevented  from sending data to the attacker’s server. For example, if you want to protect login data (username/password), banking data or credit card information, and that data should only be sent to “example.com” and the attacker’s code is trying to exfiltrate the data to “magecartexample.com”, a properly configured CSP would block the exfiltration request to the bad server and send real-time attack notification. For additional security, SRI (subresource integrity) would allow you to stop malicious code from executing altogether. 

It doesn’t have to be difficult

Tala’s technologies automate the deployment and tuning of these high-quality, standards-based security capabilities, including fine-grained CSP and SRI. You get all the website protection you and your customers need against Magecart and other client-side attacks without having to worry about performance impacts, resources, time-constraints or keeping up with any changes. Above all, your website will continue to perform as normal - these are security standards designed by web experts for web experts, they were developed to support the rich web experience that everyone expects today. 

Securing websites against this accelerating attack should be an imperative for every website owner. Get your FREE website analysis today and see how easy it can be to secure your site against every type of client-side attack. Learn more about how Tala prevents Magecart here



Aanand Krishnan, CEO and Founder of Tala Security

Written by Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus. Aanand spent several years in investment banking at and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.