CMS Security Concerns: Attacks via Credit Card Skimmer Scripts Spike
On the heels of the July 4 Magecart credit card skimmer attack on 962 stores, the largest such attack so far, comes news that the same credit-card skimmer script is being injected into content management systems (CMS). The attackers’ opening move surprised Malwarebytes’ security researchers and a popular poker tracking service. Now it’s pressuring other antivirus vendors and MSSPs to up their games too.
PokerTracker.com helps poker players improve their game. It certainly doesn’t resemble the traditional, customized Magecart victim, and yet the odds were not in its favor.
“The PokerTracker hack illustrates a common cybersecurity issue: the failure of many companies to update their content management systems; in fact, Panorays’ research found that nearly one-third of U.S. management consultancy firms were running older versions of CMS like WordPress and Drupal,” said Elad Shapira, Panorays’ head of research.
“If such is the case at critical suppliers, then it comes as no surprise that websites like Poker Tracker are vulnerable as well. This incident serves as a reminder that companies should check the security of their own websites and technologies, and also take the opportunity to check that their vendors’ systems are up to date,” Shapira added.
The threat has become so prevalent now that the PCI Security Standards Council and Retail and Hospitality ISAC have joined forces to highlight the growing threat of online skimming attacks such as Magecart.
“The alert from the PCI Security Standards Council should be taken seriously since the traditional forms of web application security cannot defend against such client-side attacks. It is critical for website owners to both keep their third-party code up to date and to consider solutions that analyze the behavior of the site in real-time and expose malicious payloads as they are being executed,” said Deepak Patel, security evangelist and vice president of marketing at PerimeterX.
Third-party software on websites are increasing the risks of credit-card skimmer script injections.
“Many reputable organizations use third-party software on their websites. While this helps productivity, it also introduces risks — unknown vulnerabilities open the door for malicious activities,” said Patel.
“This was an interesting development, since threat actors weren’t actively targeting specific e-commerce shops, but rather were indiscriminately injecting any exposed S3 bucket,” wrote the researchers in a Malwarebytes blog.
Similarly injecting other platforms optimizes opportunities for attackers.
“Magento is one of the most popular e-commerce platforms, which makes them a prime target for Magecart and similar attacks. It provides a marketplace with thousands of plug-ins — each one can be a source for various vulnerabilities. The fact that so many customers use Magento – many with outdated vulnerable versions – makes them so appealing to Magecart attackers,” said Giora Omer, head of security architecture at Panorays.
These attacks underscore the need for MSSPs and their customers to redouble efforts to secure third-party suppliers, whether their products are CMS, platforms, apps or data streams.