MANILA, Philippines – Following the September 19 reports of the ABS-CBN and UAAP online stores being hacked, we wanted to learn more about the group behind the hack.

Hackers from the Magecart group embedded malware on ABS-CBN’s storefronts. The malware harvested credit card information from users during checkout.

Dutch security researcher Willem De Groot, who found the breach, said the malware had been on the storefronts on or before August 16, 2018, meaning that it had been harvesting data for at least a month before being discovered.

In this Q&A, we discuss the learnings of cybersecurity company RiskIQ, which has been tracking Magecart operations for the past few years. Speaking with us is RiskIQ’s head researcher Yonathan Klijnsma.

Q: RiskIQ said the work behind the ABS-CBN store hackings was a group known as Magecart. Could you elaborate on what Magecart is for our readers? Is it a hacking cooperative or a cybercrime organization of some kind originating from a country or group of countries?

Yonathan Klijnsma: Magecart is an umbrella name for 6 criminal groups that target online eCommerce websites to steal credit card information.

Q: How long has RiskIQ been monitoring Magecart-related online activities?

YK: The first activities we are aware of occurred in early 2015 but we have indicators it was active even in 2014.

Q: Does Magecart have a particular style or signature method by which they act?

YK: There are multiple methods of operation (MO) for the various groups.

For the most part, the “style” that is consistent among these groups is grabbing all form content from payment pages.

The way they do this varies from group to group – some groups grab any form, others explicitly look for payment information and validate this first.

Q: Walk us through a Magecart attack. What does Magecart do to steal personal and credit card information? How do they embed themselves into an existing site to steal information?

YK: Magecart attacks start with a very generic step: breaching the organization they targeted.

They obtain access, which can be by using:

• Default credentials
• Credentials from public and non-public data breaches
• Exploit outdated server software like f.e Struts
• Exploit outdated CMS installations like old Magento installations

Once inside, they will, depending on what the payment process is, inject themselves onto the right pages or simply inject their skimmer code on any page.

Many skimmer implementations manually check if a visitor is on the checkout page and payment information is available.

Q: Is there any way for a company or service to protect against their methods of attack?

YK: They need visibility into their internet-facing attack surface, which many organizations lack.

At RiskIQ we have a unique angle on Magecart detection as we simply visit websites as if we were actual visitors. Once we hit a website we would observe the skimmer activate, this in our system creates incidents which we surface to customers for whom we monitor their websites.

Q: Are there other Philippine targets, or have there been other Philippine sites or services compromised by the group?

YK: There have been an insane amount of compromises. We can’t say explicitly which ones are victims in the Philippines, as operators don’t always use the top-level domain or the country they operate in.

Q: Aside from ABS-CBN, RiskIQ has said other companies hit by Magecart attacks include Ticketmaster, British Airways, and Newegg.

How many companies have been hit by Magecart attacks since RiskIQ began tracking them?

YK: This is easily far beyond 20 to 30 thousand and I am sure it will be even higher due to how some of the groups operate.

Q: How can e-commerce sites mitigate damage from cyberattacks of this sort?

YK: General good security practices, but also perform additional integrity checking.

One option is to monitor your server for any kind of file modifications.

One approach RiskIQ takes here is that we monitor all resources, be it locally hosted or remote, and whenever there is a change we notify customers about this change, which can then be marked as benign or not.

Q: Assuming the inevitability of an attack affecting an online shopper, what methods or immediate next steps can the average user take to mitigate the effects of a hack like this once publicized?

YK: Get your bank to issue new cards but also look into setting up additional verification steps on your payment account.

Banks don’t always have it enabled by default but you can add a second step to your payment process where you have to provide additional proof for the payment.

This way, even when your card is skimmed, payments cannot go through as the attackers cannot perform this 2nd step of verification (such as two-factor authentication or one-time password authentication). – Rappler.com

More information on past Magecart attacks can be found across RiskIQ’s official blog.