12 checklist items for defeating Magecart attacks

September 11, 2020
Magecart skimmers remained active on Claire's website for 50 days before being discovered earlier this year. Today’s columnist, Pedro Fortuna of Jscrambler, offers security pros a checklist for a selecting a product to combat Magecart attacks. (Photo by Keith Mayhew/SOPA Images/LightRocket via Getty Images)
  • Detect and block the addition of “click” or “submit” event handlers to the page. Security pros consider the addition of form-related event handlers (for example, of an onmouseover event) a common malicious behavior in Magecart skimmers.
  • Detect and block the addition of elements to the page, such as forms. More advanced web skimmers add fake credit card payment forms to the page or new buttons to the page. Security pros also consider this sort of document object model (DOM) tampering a common indicator of malicious behavior.
  • Detect and block the removal of elements from the page, such as a div and its child nodes. By removing content from the page, attackers can divert users from the legitimate flows in lieu of compromised ones.
  • Detect and block the modification of page content, such as editing element attributes or changing element visibility. Much like removing elements from the page, modifying it lets attackers trick users, for example by hiding a spinner.
  • Detect and block sensitive data collection and its exfiltration. Magecart attackers invariably need to send the captured data out to a drop server. Security teams need to detect this, namely by monitoring for outbound network events to unknown domains or even unexpected data to known domains.
  • Require a complete website inventory. This improves visibility of the scripts and network connections that take place in any given user session, making it easier to learn what’s normal and to spot malicious behaviors.
  • Avoid bot-based approaches. Some of the more advanced Magecart skimmers use bot detection techniques to avoid detection from approaches that visit the page continuously to check for skimmers.
  • Avoid products with limited compatibility. Some products don’t work on all browsers and versions; for example, SRI isn't compatible with Internet Explorer or with Safari for iOS.
  • Avoid any type of impact on page performance. Online experts consider page performance an important driver of e-commerce sales; the solution should leave a minimal footprint in performance.
  • Avoid high-maintenance products that are difficult to integrate. Integrating a product that requires significant refactoring of current systems or substantial maintenance and configuration effort will lead to problems further down the road.
  • Avoid approaches that are only signature-based. These products will be very limited in terms of detection capabilities and will likely fail to detect new exploits. Optimal products look for behaviors instead.
  • Look for tamper-resistant defense code. The defense code will often run alongside potentially malicious code. To avoid interference from the malicious code, the code itself must deter direct tampering attacks.
prestitial ad