Researchers on Monday discovered a new Magecart campaign that has impacted at least 44 e-commerce sites.
In a blog post, Jscrambler researchers said the incident underscores how risky client-side security can be if the web supply chain is left unchecked. The researchers said in what appears as a new way to acquire victims cheaply and easily, attackers took over a defunct internet domain that previously hosted a JavaScript library decommissioned in December 2014.
The researchers said companies running the JavaScript failed to remove it from their website, likely because of a lack of visibility into third-party scripts and/or poor security policies. This attack has been underway since Dec. 20, 2021, and uses a loader script that resembles Google Analytics, a common JavaScript included in many websites. Another version aims to resemble Google Tag Manager, the researchers said, done for deception only, as the real endpoint to contact is encrypted or encoded.
“Our discovery of this web skimming attack underscores the importance of practicing good client-side security hygiene,” said the researchers. “Most web applications are a complex mash-up of elements leveraging code from the web supply chain and most security teams don’t have visibility into this third-party code running on their website — they don’t know if it’s behaving as it should or misbehaving, whether accidentally or maliciously. This security blind spot can create a false sense of confidence in your assessment of risk.”
The Magecart skimming attacks are another chapter in the software supply chain story, said Scott Gerlach, co-founder and CSO at StackHawk. Gerlach said developers should start defending their apps and APIs by actively checking in on the public packages and repositories they use.
“But that can only get you so far with limited visibility into how the third-party code is running,” said Gerlach. “We need to dedicate more time and money to maintaining package management services if we expect the software supply chain to become more secure.”
