British Airways, Ticketmaster and Newegg hacks part of massive Magecart formjacking campaign
Researchers establish ties between recent headline-grabbing attacks and a major spike in formjacking
A spate of recent attacks against established brands including British Airways, Ticketmaster, and Newegg have been found to be part of a wider formjacking campaign that's involved almost a quarter of a million attacks since mid-August.
Hacking collective Magecart has been pinpointed by researchers as the group responsible for a massive spike in attacks this month, as a host of firms continue to reckon with crippling attacks to their infrastructure, and a loss of sensitive customer data.
Formjacking, according to researchers at Symantec, involves injecting malicious script into a web page, and waiting for a user to fill out an embedded form with their personal and financial details. When the user submits the form to complete a purchase, data is sent to the merchant website, and a copy is also sent to the attacker.
Although Symantec has blocked 248,000 formjacking attempts since 13 August, more than a third of those occurred between 13 and 20 September. Moreover, the number of attacks detected during this period increased 117% against the same week in August from 41,000 last month to almost 88,500.
"While the compromise of larger organisations such as British Airways and Ticketmaster makes headlines, our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking," Symantec's security response team wrote in a blog.
"Victims may not realise they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection."
Although attackers can use many methods to compromise websites, researchers noticed that Magecart attacks tended to target weaknesses in an organisation's supply chain. Because these smaller firms provide their larger partners with a variety of services, vulnerabilities in their systems can be exploited as an entry route into the larger company.
These included setting up spoofed web domains that feigned the appearance of a legitimate company, and purchasing SSL certificates to make the servers seem legitimate.
"The group used to primarily focus on hacking into Magneto online stores," the security response team continued, "but it appears to have changed tactics recently, and we now see it using formjacking and supply chain compromise to steal payment card data."
There were 1,000 instances of formjacking blocked by Symantec between 18 and 20 September, targeting 57 individual sites. Analysis shows they were mostly online retailers, but ranged from niche shops to massive enterprises.
Symantec's researchers warned business to be aware of the dangers of software supply chain attacks, given these have been used as the main route of infection in many instances.
Although difficult to guard against, a number of measures, including testing new updates in small test environments first and behaviour monitoring of all system activity, may go some way towards mitigating the risks.