© 2020 Akamai | Confidential1

Decoding Magecart/Web Skimming attacks during the rise in digitalAseem AhmedSr. Product Manager, Web Security (APAC)

© 2020 Akamai | Confidential2 * Source: Akamai

COVID-19 Internet Landscape

* 30 per cent increase in transactions in one month

* traffic growth jumped 30 per cent year in a month

© 2020 Akamai | Confidential3

Remote Work

Phishing

Malware

COVID-19 AND THE PERFECT SECURITY STORM

Web Skimming

© 2020 Akamai | Confidential4

Web Skimming and FormjackingMore frequent and more costly

© 2020 Akamai | Confidential5

www.akamai.com 68% - 3rd party scripts

80 hostnames

Webpages are more complex now

© 2020 Akamai | Confidential6

Third Party requests average 67% of all requests across all Akamai customers

Over 80% of pages contain at least one known third-party library security vulnerability (CVE)

67%Average 3rd Party resources per page

72%

76%

80%

84%

Nov-18

Dec-18

Jan-19

Feb-19

Mar-19

Apr-19

May-19

Jun-19

Jul-19

Aug-19

Page

s w

ith V

ulne

rabl

e JS

(%)

Source: Security and Frontend Performance, Challenges of Today: Rise of Third Parties; Akamai Technologies and O'Reilly Media, 2017

Sources: https://httparchive.org/reports/state-of-the-web#pctVuln

83.2%

External Code and Known Security VulnerabilityThe problem is real and happening now

© 2020 Akamai | Confidential7

JavaScripts Attacks Skim Data From Forms Many attacks can go undetected for months

1 week 1 month

up to 7 months

6 months

First-Party AttacksAttack first-party scripts located directly on the backend infrastructure

E-commerce Platforms Attacks

Third-Party Attacks Third party attacks vendors, supply-chain, and open source libraries

1 month

© 2020 Akamai | Confidential8

JavaScript Attack Vectors

Third party and Supply-chain

Site Origins

Malicious code executes Adversaries compromise JavaScripts

Direct injection via backend

infrastructure

Credit Card/ PII Skimmed

Sent back to AdversariesHidden

malicious code in interaction

TrustedSites

Malicious code injected into trusted sources

© 2020 Akamai | Confidential9

Attack Examples and TargetsAffects all websites with sensitive data

First-Party AttacksAttack first-party scripts located directly on the backend infrastructure

Targets e-commerce platforms

Attackers targets third-party e-commerce platforms; many popular platforms have been compromised by Magecart attacker.

Attackers take advantage of the security weaknesses in third-party client-side code including JavaScripts and open source libraries.

Magecart attackers were able to hack into the companies’ backend infrastructure and inject malicious code along side the company’s existing code

Third-Party AttacksThird party attacks vendors, supply-chain, and open source libraries

ECommerceMany retail, consumer,

and event ticketing sites were attacked

Travel & Hospitality Multiple airlines and

hotel chains lost customer data

Media Popular streaming service companies lost payment and

account info

PublishingNews sites, eZines,

and others lost account info

© 2020 Akamai | Confidential10

Pipka Attack Example

● Targets eCommerce sites to skim credit card information○ Content is hidden via encoding and

encryption○ Exfiltration to hacker-controlled website

using HTML image source tag request

○ Self-Deleting after theft

Hard toDetect

© 2020 Akamai | Confidential11

Fake Payment Form• Payment Forms

○ Internally developed

○ External payment service providers (PSPs)

• Payment forms are protected by○ Redirecting to a PSP

○ iframe sensitive areas of the website

○ CSPs

• Attackers overlay or replace iframe and collect sensitive data

© 2020 Akamai | Confidential12

• When trusted parties get compromised and becoming the attack vector, CSPs can’t detect and monitor.

• CSPs are hard to implement and maintain and if too tight, can lead a lot of false-positives.

• In the real world, teams are asked to whitelist assets coming from a common cloud storage and open source project – which can leave the site vulnerable.

Measures for script protectionContent Security Policies (CSP)

When CSPs whitelist common cloud storage as trusted origins, it can lead to vulnerabilities.

© 2020 Akamai | Confidential13

• Static scanners do not monitor all real-user sessions and detect vulnerabilities in real time.

• Malicious code can be invisible to many synthetic site scanners by mimicking Anti-Bot techniques.

• Code obfuscation techniques can mask attacks from scanners.

• In one such Magecart attack, the script placed on the final checkout page, skimmed personal credit card info from unsuspecting customers.

• hackers modified JavaScript to only carried out following the user's interaction ‘mouseup’ or ‘touchend’

The Malicious Code Used in one such Hack

The stolen data was then transferred to a server with a similar domain name and a HTTPS certificate that the hackers had set up in advance.

Measures for script protectionStatic Scanners

© 2020 Akamai | Confidential14

Why do we need a different approach?

Stealing sensitive customer data is not new but…• Hackers have developed new techniques to

compromise browsers hiding malicious code in scripts

• Security teams can't test for these attacks and can't see them

• Restricting script use will impact business agility and user experience

• New security controls are needed to counteract this problem

3.7M

Websites compromised monthly

Source: Symantec 2019 Internet Security Threat Report

78%2018 Supply Chain Attacks

4,800

Web-SkimmingAttacks Yearly

© 2020 Akamai | Confidential15

What do you need?

Protection from Hidden

Malicious Code

Visibility into Script Attacks

Simple Deployment,

Administration and Real time

alerting

© 2020 Akamai | Confidential16

Demo Attack Test Site

● Forms Test Site attacked with malicious JS code ○ Fully functional

eCommerce checkout page form

○ Used white-listed domain

- Demo asset

Malicious JS code

© 2020 Akamai | Confidential17

Web Skimming Attack ResultsImmediate Visibility, Detection, Assessment

• Suspicious behavior immediately detected

• Destination not blacklisted

• No manual intervention

• Behavior detection model set a critical risk score

Credit Card info taken

High Risk Score

© 2020 Akamai | Confidential18

• Form jacking / Magecart attacks are rapidly growing• Malicious code is getting into application scripts• Current CSP and static scanning protections can’t keep up• Security teams aren’t equipped well do deal with this attack vector • Most businesses lack visibility into full 3rd party JavaScript ecosystem• Real-time detection of suspicious script behaviors is the only way to effectively

see and mitigate attacks

Summary