If you have been following the security headlines in the last year you cannot fail to have noticed the alarming rise in reports of Magecart.
Traditionally malware infects users’ computers, opening backdoors through which hackers can remotely access files, steal resources, or spy on their victims.
In a typical data breach, hackers break into company servers, access databases and steal large amounts of information – perhaps including encrypted passwords, email addresses, telephone numbers, and maybe even limited financial information.
What you don’t normally see in a data breach, however, is full payment card information stolen.
That’s because most companies don’t store your full credit card details – such as your CVV security code. If they did, data breaches would be much more serious, as it would be easier for hackers to monetise the data that they’ve stolen.
What’s so dangerous about Magecart’s attacks are that it doesn’t matter that a company hasn’t stored your credit card details.
A Magecart attack doesn’t have to break into your customer database. Instead, its malicious script lurks on a company’s website watching the information entered by customers as they checkout from your online shop, and skimming it away.
Typically the malicious code will be hosted on a third-party site, and the webpage’s HTML source code will just contain a single reference running the dangerous script.
In the past six months there have been numerous companies impacted by Magecart, including Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg… the list goes on and on.
Hundreds of millions of customers have been affected. And if you operate a website today, you are most likely susceptible to this type of attack.
So, what are you going to do about it?
Join me on a webinar
You can hear me talk more about the threat posed by Magecart, and hear about the pros and cons of different ways to defend against the threat, in a webinar I am speaking at with the experts from Source Defense.
Title: Mitigating Magecart Attacks – Why Real-Time Prevention Is Your Best Option
Date: Wednesday, February 27, 2019
Time: 12:00 PM Eastern Standard Time
Duration: 1 hour
Register now, and learn more about these browser session attacks that can silently skim payment data and personally identifiable information. If you can’t attend the webinar “live”, register anyway and I’m sure they’ll send you a link to the recording afterwards.
I’m looking forward to it, and hope to see some of you there.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.