CMS Security Concerns: Attacks via Credit Card Skimmer Scripts Spike

Third-party software like CMS on popular websites increase risks of online credit card skimmer attacks.

Pam Baker

August 23, 2019

3 Min Read
CULVERHOUSE I preordered a Plastc credit card  Im a minimalist and looking forward to consolidating my wallet into a single cardTALKIN CLOUDS SPIN Im
CULVERHOUSE: I pre-ordered a Plastc credit card. I’m a minimalist and looking forward to consolidating my wallet into a single card. TALKIN' CLOUD'S SPIN: I'm still amazed.

On the heels of the July 4 Magecart credit card skimmer attack on 962 stores, the largest such attack so far, comes news that the same credit-card skimmer script is being injected into content management systems (CMS). The attackers’ opening move surprised Malwarebytes’ security researchers and a popular poker tracking service. Now it’s pressuring other antivirus vendors and MSSPs to up their games too.

PokerTracker.com helps poker players improve their game. It certainly doesn’t resemble the traditional, customized Magecart victim, and yet the odds were not in its favor.

Shapira-Elad_Panorays-135x150.jpg

Panorays’ Elad Shapira

“The PokerTracker hack illustrates a common cybersecurity issue: the failure of many companies to update their content management systems; in fact, Panorays’ research found that nearly one-third of U.S. management consultancy firms were running older versions of CMS like WordPress and Drupal,” said Elad Shapira, Panorays’ head of research.

“If such is the case at critical suppliers, then it comes as no surprise that websites like Poker Tracker are vulnerable as well. This incident serves as a reminder that companies should check the security of their own websites and technologies, and also take the opportunity to check that their vendors’ systems are up to date,” Shapira added.

The threat has become so prevalent now that the PCI Security Standards Council and Retail and Hospitality ISAC have joined forces to highlight the growing threat of online skimming attacks such as Magecart.

Patel-Deepak_PerimeterX-135x150.jpg

PerimeterX’s Deepak Patel

“The alert from the PCI Security Standards Council should be taken seriously since the traditional forms of web application security cannot defend against such client-side attacks. It is critical for website owners to both keep their third-party code up to date and to consider solutions that analyze the behavior of the site in real-time and expose malicious payloads as they are being executed,” said Deepak Patel, security evangelist and vice president of marketing at PerimeterX.

Third-party software on websites are increasing the risks of credit-card skimmer script injections.

“Many reputable organizations use third-party software on their websites. While this helps productivity, it also introduces risks — unknown vulnerabilities open the door for malicious activities,” said Patel.

“In the latest Magecart attack, threat actors placed a piece of Javascript that harvested sensitive information for future criminal use. In addition, this attack used a URL that upon first glance led website visitors to believe that they were interacting with a trusted vendor,” Patel added.

Threat actors using Magecart made earlier shotgun attacks rather than carefully target their victims. In June, Malwarebytes documented Magecart credit card skimmers found on Amazon S3 buckets.

“This was an interesting development, since threat actors weren’t actively targeting specific e-commerce shops, but rather were indiscriminately injecting any exposed S3 bucket,” wrote the researchers in a Malwarebytes blog.

Similarly injecting other platforms optimizes opportunities for attackers.

“Magento is one of the most popular e-commerce platforms, which makes them a prime target for Magecart and similar attacks. It provides a marketplace with thousands of plug-ins — each one can be a source for various vulnerabilities. The fact that so many customers use Magento – many with outdated vulnerable versions – makes them so appealing to Magecart attackers,” said Giora Omer, head of security architecture at Panorays.

These attacks underscore the need for MSSPs and their customers to redouble efforts to secure third-party suppliers, whether their products are CMS, platforms, apps or data streams.

Read more about:

MSPs

About the Author

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, Linux.com and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like