Yesterday at Report URI we launched the first of several new features that are going to specifically target and help mitigate Magecart and similar attacks. Magecart is a massive threat to any organisation that accepts payment cards on their website and that's who I want to make an open call to right now.
Magecart
I've talked about Magecart several times in the past but to give a brief overview for those of you who may be reading this and not be a regular reader, it works like this:
- The hacker group will find some way to get JavaScript onto your website that shouldn't be there, so-called 'hostile script'.
- This script will then load with your webpage into the browser of your visitor and watch the keystrokes on your visitors' keyboard.
- Whilst watching these keystrokes, the script will watch your visitor entering their payment card details and send a copy directly to the attackers.
Magecart attacks are historically very difficult to detect and prevent with the impact being quite severe as the attackers will potentially make off with your customers' name, address, all payment card details and the CVV, which is often typed in during the checkout phase of an online purchase. If you'd like some more background reading I have a couple of articles to refer to, Magecart are coming for you, are you ready? and a similar problem called Cryptojacking which is the same attack as step #1 above, but a different outcome, Protect your site from Cryptojacking with CSP + SRI.
With these attacks being quite difficult to detect and prevent, we've been working towards making it easier at Report URI for quite some time. A security feature built into all browsers called Content Security Policy is a very effective way to stop attacks like these, but can be tricky to deploy. To that end, we spent many, long months working on a brand new feature that was launched yesterday called Script Watch.
Script Watch
Designed to give website operators the ability to do two very specific things with minimal effort, Script Watch is, honestly, the fastest and easiest way I know of to massively reduce the risk of Magecart style attacks.
- Quickly and easily audit all of your JavaScript dependencies.
- Get alerts when new JavaScript dependencies are detected.
The first step here is crucial as you need to know exactly what script you have and if that script is all legitimate. The second step is then a case of monitoring for any new script that may find its way onto your website. With notifications of any new script that appears landing in your inbox, you can know almost immediately that it's appeared and investigate to see if it's a legitimate addition by a member of your team, or an illegitimate addition by someone else... I'm confident that Script Watch is a great tool to help with the problem of Magecart but making these claims without backing them up doesn't show real faith in our product, so I make the following offer.
Calling all online retailers
If you're a website that is a likely target for Magecart, which means you process a large amount of online card payments on your website, then I'd like to extend the following offer to you.
- A 3 month, all inclusive Enterprise Plan to Report Uri - Free
- A 1 hour setup call with me, to get all the information you need - Free
- A 1 hour fine-tuning call with me, to make sure it's all running smoothly - Free
That's all the effort it should take on my part to get even some of the larger online retailers setup and using Script Watch effectively. Preferably we'd have the 1 hour setup call and start the free subscription on the same day during July, we'd have the fine-tuning call sometime within a couple of weeks of setup and then you should have at least 2 months of service to use Script Watch to its full potential. After that, the choice is yours! You can subscribe and continue to use the service or we can part ways having all learnt something valuable with no commitment and no strings attached.
There's no such thing as a silver bullet
Using Script Watch does not make you impervious to Magecart style attacks, and it's not meant to. What Script Watch is designed to do is alert you to the fact that an attack is taking place as fast as possible. If you look back at any example of a Magecart attack over the last 6 years, one of the most common things that you will notice is that the hostile script was on the payment page for quite some time before it was detected and removed. We allow for the detection and removal to happen faster.
It is possible to use a combination of technologies (CSP, SRI, Script Watch) to make your site almost completely impervious to a Magecart style attack, but that requires a lot of time and a lot of effort. Using Script Watch alone to enable rapid alerting can take just a few hours to setup and could be invaluable in stopping the attack in its tracks before too much damage is done. Of course, website operators can and should consider going forwards and looking at CSP and SRI over time, but for now, our focus is on giving you the ability to know that something bad is happening as fast as possible so you can stop it. To demonstrate, just 24 hours after we launched Script Watch, a Magecart attack came to light that is precisely the kind of attack that we would have detected and alerted you about within minutes.
Card details including CVV impacted. Sounds very Magecart’ish. https://t.co/V3nq5wgwuU
— Troy Hunt (@troyhunt) June 14, 2021
The attack was simple and follows all of the hallmarks of a traditional Magecart attack, with the following hostile script being loaded on the site:
<script src="sucuritester[.]com/eggfreecake/chat.js">
How the script got there we don't know, but I do know that we would have detected this with Script Watch and sent an alert within minutes of it appearing on the site.
Sound interesting?
If it sounds like you fit the above criteria and you'd like to take me up on this offer, reach out to me directly via email (scott[at]report-uri[dot]com) and we can start the conversation. As I said above, there are no strings attached to this offer, but it would be great if your organisation was open to talking about your experience publicly or perhaps even taking part in a case study in the longer run. Your participation is, however, not contingent on this! If you want to learn more about Script Watch, take a look at the launch blog post and our documentation.