Magecart - Threat Hunting Edition
Magecart was the malware behind the British Airways and Ticketmaster data breaches a few years back and, unfortunately, it’s still alive and well. In fact, the latest victim appears to be OXO, a consumer household goods brand.
Luckily, researchers are continuing to hunt for Magecart and it’s easy to detect the compromise by looking for links to this malicious code. We saw a tweet the other day that prompted us to run a quick search:
When Censys encounters hosts with port 80 open during a scan, we issue an HTTP GET request for the root page on the server. We parse and index the returned HTTP response into searchable fields, like HTML body and server header. We store that content and allow users to search both headers and the raw HTML content.
We manually inspected the results of this query to ensure the HTML in the HTTP(S) body contains a script link to one of those domains and wasn’t just a string match elsewhere in the body, a false positive. If this was a larger set of results, this could be easily automated with a script.
Those filtered search results of affected IP addresses are below:
Beyond website security features like segregated rights and permissions and application security practices and updates, the browser can be leveraged to defend the end user’s data. The subresource integrity (SRI) feature allows you to cryptographically fingerprint scripts that you link to and force the loaded code to match before it executes. While this wouldn’t prevent a website’s alteration, it would prevent the code from running on the client, effectively blocking Magecart and similar malware.
A second browser defense mechanism to take advantage of is the content security policy(CSP) feature in modern browsers, which lets the website owner control what client-side code has rights to run when loaded from the website. CSP has a number of controls that will help ensure the integrity of the scripts presented by the website to the client.