by Source Defense
A new report by Recorded Future’s Insikt Group reveals a concerning rise in Magecart attacks and e-skimming activity targeting online retailers. The research highlights how cybercriminals are evolving their tactics to bypass traditional, rather antiquated client-side security measures such as Content Security Policy (CSP) and compromise e-commerce platforms at an alarming rate.
The digital landscape of e-commerce security has shifted dramatically over the past year, revealing a perfect storm of vulnerabilities and sophisticated attacks. As researchers delved into the data, a troubling picture emerged of cybercriminals adapting faster than many retailers can defend.
The most striking revelation came in raw numbers: Magecart infections skyrocketed by 103% in just six months. This isn’t a gradual uptick—it’s a tidal wave of attacks flooding the e-commerce space. Behind this surge lies a complex web of factors contributing to the growing threat.
In February 2024, a critical vulnerability in Adobe Commerce sent shockwaves through the industry. Dubbed CVE-2024-20720, this flaw became a golden ticket for cybercriminals. They wasted no time, swiftly exploiting it to inject fake Stripe payment skimmers into countless Magento-based websites. It was a stark reminder of how quickly the digital underworld can weaponize newly discovered weaknesses.
But the story doesn’t end with known vulnerabilities. The underground economy has been busy innovating, and a new player entered the scene: “Sniffer By Fleras.” Sold for a mere $1,500 on dark web forums, this user-friendly e-skimmer kit lowered the barrier to entry for aspiring cyber criminals. The result? Between March and July 2024, threat actors used Sniffer By Fleras to infect at least 488 e-commerce websites.
While the core methods of e-skimming have mostly stayed the same, the techniques for deploying and hiding these malicious scripts have evolved significantly. “E-skimming has remained relatively consistent in recent years, with only minor advancements in the core scripting methods employed by cybercriminals,” the report states. “However, the methods used to construct the e-skimmer scripts have continued to adapt, as have the obfuscation techniques used to disguise them.”
Gone are the days of simple, direct injections. Today’s attackers are craftier. “Actors continue to move away from the injection of e-skimmer URLs directly into websites, opting for loader scripts that deobfuscate the e-skimmer URL upon execution,” according to the report. “Even loaders that inject the e-skimmer URL into the page are being phased out and replaced with loaders that retrieve the script from the e-skimmer URL and execute it directly.”
They’re also getting creative with their injection points. “HTML tags capable of embedding client-side scripts are becoming the injection point of choice for malicious actors.”
Perhaps most concerning is the continued abuse of trusted services. “We continue to see abuse of free services, such as Amazon CloudFront, Google Tag Manager (GTM), and Telegram Bot API, within the Magecart attack chain,” researchers stated. “These services are used for hosting loaders and e-skimmer scripts, and in the case of Telegram, serving as the receivers of stolen data.”
By leveraging these legitimate services for hosting and data exfiltration, attackers add a veneer of credibility to their operations, further blurring the lines between benign and malicious activity. Attackers also benefit from the broad capabilities of these legitimate tools to their own ends, rendering traditional blacklisted / whitelisting approaches ineffective.
As security teams race to keep up, they’re finding that traditional detection methods are failing. The sophistication of these new attacks, combined with their ability to blend in with normal website operations, has created a detection crisis. It’s no longer enough to look for obvious signs of compromise—the game has changed, and so must the defenses.
This new research paints a clear picture: the threat of Magecart and e-skimming is not just persisting—it’s thriving. As we move forward, a new approach to client-side security is desperately needed to turn the tide in this ongoing battle for the safety of online commerce.
The rapid exploitation of new vulnerabilities like CVE-2024-20720 underscores the critical importance of timely patching and security updates for e-commerce platforms. However, the complexity of many online retail systems often leads to delays in applying these crucial fixes, leaving attackers with a window of opportunity.
The emergence of easy-to-use kits like “Sniffer By Fleras” is particularly concerning, as it lowers the technical barrier for cybercriminals to launch sophisticated Magecart attacks. This commoditization of e-skimming tools could lead to a further proliferation of these threats in the coming months.
The evolving obfuscation and injection techniques highlight the ongoing cat-and-mouse game between attackers and defenders. As security teams improve their detection capabilities, criminals adapt their methods to stay one step ahead. This constant evolution requires a more dynamic and proactive approach to client-side security.
The report predicts that Magecart intrusions are unlikely to slow down in the remainder of 2024. To combat this growing threat, online retailers and security professionals must take a multi-layered approach:
Retailers should also carefully audit any existing security controls, such as CSP, that they may have implemented. These approaches are often implemented incompletely, incorrectly, or are made ineffective because business priorities override security priorities.
As the holiday shopping season approaches, it’s crucial for both retailers and consumers to remain vigilant. Shoppers should monitor their financial statements closely and be wary of any suspicious activity on websites they visit. Retailers must prioritize client-side security as a critical component of their overall cybersecurity strategy to protect their customers and maintain trust in the digital marketplace.
To prevent similar incidents, organizations should consider the following:
Source Defense offers a powerful solution to these challenges:
Implementing a solution like Source Defense can prevent all forms of client-side attacks. As cyber threats evolve, adopting such advanced, behavior-based web application defense solutions becomes not just a best practice but a necessity for organizations handling sensitive customer data.
The post Magecart Attacks Surge as E-Commerce Security Struggles to Keep Pace appeared first on Source Defense.
*** This is a Security Bloggers Network syndicated blog from Blog | Source Defense authored by Scott Fiesel. Read the original post at: https://sourcedefense.com/resources/magecart-attacks-surge-as-e-commerce-security-struggles-to-keep-pace/