What is Magecart? It Isn’t a Thing.

When it comes to the security of websites, and security in general, there is a lot of focus on catchy names for things, not a lot on actual security. A great example of that is Magecart. What is Magecart? Well, it really isn’t anything. Instead, it is a term used for a whole host of different things, which makes it useful selling security services and creating press coverage, but not for actually resolving the underlying issues.

Here is one description of Magecart from security news outlet, CSO Online:

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information.

Elsewhere, a security news outlet described it as being competing groups:

here’s no clearer indicator that the Magecart scene is getting crowded than discovering that some groups are now sabotaging each other’s code

Elsewhere it is described not as an entity, but as a type of attack:

Every day we hear about some new threat or vulnerability in technology, and the data harvesting attack known as “Magecart” is the latest threat.

Elsewhere, in a security news outlet that is part of a security company, you will find it claimed that only impacts Magento websites:

So-called Magecart attacks utilize web injections to deploy JavaScript code on Magento websites that skims and steals payment card information from retail website customers.

But the very next paragraph mentions “high-profile targets”, which didn’t run on Magento:

Once believed to be the work of a single cybercrime gang hitting high-profile targets including Ticketmaster and British Airways, Magecart-style attacks have now evolved and have been adopted by numerous threat groups.

We could go on, but you get the point.

What You Can’t See is Ignored

To the extent that these disparate descriptions of Magecart have any common feature, it is that involves JavaScript code that captures information, like payment details, during the checkout process on a website. That isn’t the only way that hackers can capture that information, as they could capture on the system that it submitted, which is often the same system serving the website where the checkout is occurring. That wouldn’t be possible to directly detect from the outside, generally, which seems to explain why there is so much focus on only part of the issue.

Even what you can detect is only the end result of a hack, so while you will find lots of stories about Magecart, there is very little on how the hack occurred. If you don’t focus on how they occurred, they you are not likely to address those issues. Not surprisingly, the hacks keep occurring. That is bad for just about everybody except the people pushing the Magecart narrative, since security companies can sell more products and services this way (which don’t resolve the issue seeing as the hacks continue) and journalists get easy stories.

Indirect Protection at Best

For this type of attack to work, a hacker has to somehow get malicious JavaScript code to run on the checkout page. That would either occur by placing it directly on the website handling the checkout or some other websites that serves up JavaScript on the checkout page. In either case, a hacker has to gain access to systems to do that. To put that another way, the way to prevent this would be to focus on the server-side, but here was the start of a recent article in a security news outlet written by an employee of a security company:

With e-commerce displaying no signs of slowing down since the start of the COVID-19 pandemic, the Magecart cyber-criminal syndicate is thriving. By evolving their web skimmers to become harder to detect and avoid, they have been successful in breaching several high-profile businesses.

After years of discovery and research by the cybersecurity industry, we are at a stage now where companies have started looking for effective protection against this serious threat. Typically, when security teams understand how web skimming attacks operate and how they take advantage of the huge security blindspot that is the client-side, they first turn to CSP (Content Security Policy).

Focusing on the client-side would be, at best, an indirect way to handle this and wouldn’t handle the situation at all if hacker collects the data when it is submitted to the website. There is simple reason why that person might present that as the focus, the company they work for provides client-side solutions.

Need Help Securing a Magento Website?

If you have a Magento website that is hacked, we can help you to actually get it cleaned and secured. If need someone to handle keeping Magento up to date, which goes a long way to keeping it secure, we can take care of that for you.