How Page Integrity Manager Detects Real—World Magecart Attacks
Let’s take a closer look at and break down a recent Magecart attack detected and mitigated by Akamai’s Page Integrity Manager. The impacted customer operates a large international e-commerce business in which one of its websites was compromised with a malicious script.
All users visiting the website were exposed to this script, but it was only effective on specific pages -- the mobile checkout form and one of the web checkout forms.
The attack used string manipulation techniques to try to evade reflection detection of sensitive data by employing a UTF-16 charcode shift cipher algorithm, swapping letters with a corresponding UTF-16 code representation and 10-place rotation. As an example, with the shift cipher method described above, the string "a" which has a UTF-16 charcode of 97, would be represented as 107 in the payload sent to the C2 server.
The attacker's C2 server used a name very similar to the brand name of our compromised customer, with a different top-level domain. This is a common characteristic of this type of attack and a good way to evade the human eye, since the domain looks legitimate.
Page Integrity Manager observed the described behavior and raised it as a "Suspected Web Skimming" attempt.
In the incident detection report, we displayed the script behavior chain highlights, which break down the malicious code execution behavior detected by Page Integrity Manager, after running it through a series of classifiers, detectors, and AI models. The events that the AI models found as anomalous were given an "Unusual Activity" tag, indicating they were not expected in this code execution context based on observed historical application data.
Zooming into the summary, it is clear that the anomalous events were of type "Read from sensitive data" and "Sent outbound traffic" -- indicating that there was an anomaly in reading values from sensitive fields (e.g., obtaining the values of the credit card input) and there were unexpected network requests.
Furthermore, Page Integrity Manager also provided information about the individual user sessions that were affected by the incident, to better track and understand impact.
The customer immediately received an automated alert with detailed information to understand the suspicious behavior, and the customer's web team double-confirmed that the suspicious activity did not belong to them. This prompted the customer to take action. It applied an Incident Response policy, one of Page Integrity Manager's core features, to protect realuser browser sessions from contacting the attacker's C2 server in real time, which prevented sensitive data from being exfiltrated from end-user browsers. This happened in parallel to the customer updating its app to no longer include the malicious script.
This Magecart attack is a typical example of what Page Integrity Manager can identify, flag, and resolve quickly. By having always-on, always-detecting monitoring and alerting, our customer was able to see a zero-day event, and understand and mitigate it in minutes. In addition, creating a policy based on detected suspicious behavior with a single button press alleviates delays and heavy security team workloads.
Magecart continues to be an active threat vector that targets e-commerce companies of all sizes -- some use via generic skimmer code while others employ very targeted and tailored skimmers such as the above example. And these attacks are not isolated to third-party hostnames and services -- malicious scripts can impact your real users from both first-party and third-party assets.
To minimize the impact of threats like Magecart, in-browser protection needs to be an integral part of any business with a significant online presence. To learn more, please visit akamai.com/PIM.