Magecart – Threat Hunting Edition
Magecart was the malware behind the British Airways and Ticketmaster data breaches a few years back and, unfortunately, it’s still alive and well. In fact, the latest victim appears to be OXO, a consumer household goods brand.
Luckily, researchers are continuing to hunt for Magecart and it’s easy to detect the compromise by looking for links to this malicious code. We saw a tweet the other day that prompted us to run a quick search:
Beyond website security features like segregated rights and permissions and application security practices and updates, the browser can be leveraged to defend the end user’s data. The subresource integrity (SRI) feature allows you to cryptographically fingerprint scripts that you link to and force the loaded code to match before it executes. While this wouldn’t prevent a website’s alteration, it would prevent the code from running on the client, effectively blocking Magecart and similar malware.
A second browser defense mechanism to take advantage of is the content security policy(CSP) feature in modern browsers, which lets the website owner control what client-side code has rights to run when loaded from the website. CSP has a number of controls that will help ensure the integrity of the scripts presented by the website to the client.