Magecart: The Rise of eCommerce Keylogging

10.26.16

Dan Ennis CEO

Since March 2016, over six thousand websites were found to be infected with a rarely-before seen skimming malware. This malware was essentially a web-based keylogger injection campaign that targeted popular eCommerce platforms (Magento, Powerfront CMS,and OpenCart) has become known as “Magecart”.

Magecart allows cybercriminals to inject a keylogger directly into the target website and the formgrabber content is exfiltrated and hosted on remote attacker-operated sites. This strain of malware is particularly interesting because cybercriminals are taking methods they’ve found successful in compromising endpoints and applied it to lucrative eCommerce websites.

PREVENTING KEYLOGGING COMPROMISES AND ELMINIMATING ZERO-DAY VULNERABILITIES

According to RiskIQ research, the credit card stealer works in a very similar manner on the compromised web server as a banking Trojan functions on a compromised victim workstation. Code is injected which can “hook” web forms and access data form submissions much like a formgrabber. Data is exfiltrated from the compromised server to a dropzone for attacker collection. There is some indication in related payloads that attackers may be injecting bogus form fields into payment forms to solicit additional data from victims.

Trusted Knight’s Cloud-DMZ eliminates website and application vulnerabilities, including the recently publicized Magecart and all zero-day vulnerabilities, by preventing attackers from gaining unauthorized access to web systems, compromising sensitive data and defacing websites.

Cloud-DMZ is an advanced alternative to a conventional Web Application Firewall. Cloud-DMZ actively scans your application, learns its functionality and protects by understanding the context of each incoming request. As a result, it can accurately tell apart legitimate traffic from malicious traffic and will not block legitimate users. By replicating web application components to the cloud, Cloud-DMZ removes up to99% of the attack surface and dramatically simplifies maintenance.

This method of protection secures the complete stack from the entire range of web application attacks.

Start protecting your websites with Cloud-DMZ today.

blog-post-logo