A criminal Magecart gang successfully compromised hundreds of e-commerce websites via a malicious script that silently harvested personal data and payment card information as customers bought goods and services online.
According to researchers at Trend Micro
and Risk IQ
, websites affected by the breach at Adverline included ticketing, travel and flight booking services as well as online stores selling cosmetic, healthcare and apparel products.
Your company may have security in place to prevent hackers from successfully breaking into your systems. But with a Magecart-style attack, they haven't directly compromised your IT infrastructure. Instead, they have poisoned a third-party script used by your website. It's equivalent to poisoning a water supply upstream from where it's being drunk.
Furthermore, the exploitation of the Adverline ad network underlines a tactic often seen in Magecart attacks. Criminals will take advantage of the fact that a typical website’s security team is more likely to be fully-staffed during the working week
and left less well-defended at other times. Often exploitation appears to take place at weekends or -- in this case -- between January 1st and January 5th, 2019 when many IT workers would be expected to be on vacation or still nursing their New Year's hangover.
In recent months, there have been numerous companies impacted by Magecart attacks skimming their customers' payment details. Businesses hit have included British Airways
, Vision Direct
Hundreds of millions of customers have had their payment card details stolen through Magecart attacks. The costs are obviously significant to the companies involved and the financial institutions required to issue new payment cards to customers who have had their details stolen.
In the eyes of the typical customer, it is the online store selling perfume or plane tickets that has been careless with their payment card details.
And as a result, it is those companies whose brand is damaged. It takes years to build a brand that your customers trust. Trust takes years to build, seconds to lose and a lifetime to regain - if you’re lucky.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.