Here’s how to defend your enterprise from Magecart

With the body of forensic evidence tied to Magecart growing, researchers have released recommendations for defending against the group.

Magecart, a broad set of hackers that steal online payment data, has been rampant in recent months. The group has allegedly breached popular websites like those of British Airways and Ticketmaster UK by injecting malicious scripts directly or through third-parties to siphon off customer data en masse.

With the body of forensic evidence tied to Magecart growing, researchers with analytics company Securonix have released recommendations for defending against the groups. The goal is keep online vendors from being Magecart’s next high-profile scalp.

The threat data can “increase the chances of early detection of this, and potentially other future variants of the Magecart malicious threat actor activity on your network,” Securonix’s Oleg Kolesnikov and Harshvardhan Parashar wrote in a research paper.

There are at least three data channels that organizations need to monitor to boost their chances of detecting Magecart, according to Kolesnikov and Parashar: web server content and file integrity, along with SSL/TLS proxy logs and endpoint logs. The first category of monitoring can sniff out supply-chain attacks and Magecart’s attempts to install malicious scripts on servers; the latter two categories can pinpoint that script activity within a browser, they said.


At least some of the JavaScript implants used by Magecart need to bypass a target website’s same-origin policy (SOP), a security mechanism for allowing scripts on one webpage to access data on another. The researchers therefore advise network defenders to prevent the use of proxies that uniformly enable “cross-origin resource sharing,” which allows requests for webpage data to be made from one domain to another. In bypassing the SOP, Magecart hackers often use servers they control to extract the stolen personally identifiable information, according to the research.

In the case of the Tickmaster UK breach disclosed in June, the entertainment vendor said it was breached via a third-party customer service application. Given Magecart’s past use of supply-chain software as an attack spear, Kolesnikov and Parashar cautioned organizations to closely review third-party components used by their websites.

“Consider using in-house script mirroring instead of loading the script directly from the third party so that any malicious modification of the script at the third party doesn’t affect the code hosted on the website,” they wrote.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts