Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MageCart Defense Strategies

167e3044ed845338afdf5cc3446f5b17?s=47 Tom Robertshaw
September 05, 2019

MageCart Defense Strategies

The fight goes on to protect our stores from malicious attackers. But what if your store has been compromised for the last month sending every customer's credit card details to China and you didn't even know it? Not all breaches advertise themselves. MageCart is a common attack that can silently be sending credit card information to a third party server during the checkout. What can we do to protect ourselves as well as be alerted if our sites been compromised?


Tom Robertshaw

September 05, 2019


  1. MageCart Defense Strategies Tom Robertshaw @bobbyshaw

  2. 1. What is MageCart? 2. How do I protect against

    it? 3. What’s my responsibility as a site developer? Overview
  3. Computer viruses are functionally similar to biological pathogens

  4. Malaria Transferred through mosquito bites Lots of bites but only

    a small number cause infection Infection through a third-party
  5. Supply Chain Attacks Similar to being infected by compromised dependencies

    Infection through a third-party
  6. Tuberculosis Most successful against the ill, malnourished and dehydrated Target

    unhealthy hosts
  7. Brute Force Attacks Automated attacks of weak admin credentials or

    unpatched applications Target unhealthy hosts
  8. Tuberculosis Infect others while there are no symptoms Long incubation

  9. MageCart Malware that’s too aggressive gets caught Long incubation periods

  10. JS that duplicates form submissions to a dead drop Invisible

    to the merchant and customer MageCart
  11. Injects script foobar.com/js/extjs/fix-defer-after.js Looks for payment form & saves values

    to cookie Adds image with src=deaddrop.com?paymentdetails=encoded_data ...but only if dev tools isn’t open Example
  12. 1. Identify, preserve & remove cylon 2. Investigate activity &

    breach 3. Add further protections 4. Report 5. Monitor Attack Response
  13. Protections

  14. Keep dependencies patched and up-to-date Secure admin passwords IP protect

    admin area, magmi and other admin tools Remove Magento 1 downloader MageCart Protections
  15. Technology comes with security risk & training burden Prepare for

    worst case scenario The rational strategy is to have an intruder alarm Assume vulnerabilities
  16. Monitoring

  17. Security Scanners

  18. @gwillem Scanners from the community @_talesh

  19. A CSP gives the browser a whitelist of sites that

    requests can be made to Anything else is blocked Content Security Policies
  20. content-security-policy: default-src 'self' 'unsafe-inline' *.sagepay.com www.gstatic.com www.google.com *.newrelic.com *.nr-data.net; report-uri

    https://xcvb435746uwefddfgjk654.report-uri.com/r/d/csp/enforce HTTP Response Header
  21. The wearing medieval armour to go to the store approach

    to security We need to balance security with user needs Overkill
  22. content-security-policy -report-only: default-src 'self' 'unsafe-inline' *.sagepay.com www.gstatic.com www.google.com *.newrelic.com *.nr-data.net;

    report-uri https://xcvb435746uwefddfgjk654.report-uri.com/r/d/csp/reportOnly CSP Report Only Example
  23. Example CSP Report { "document-uri": "https://tomrobertshaw.net/", "referrer": "", "violated-directive": "style-src-elem",

    "effective-directive": "style-src-elem", "original-policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://test-report.trackcsp.com/v1/494b06af-eb50-4c85-9097-aa7c31e591b9", "disposition": "report", "blocked-uri": "https://fonts.googleapis.com/css?family=Open+Sans:400,400italic", "status-code": 0, "script-sample": "" }
  24. Results in a huge number of reports In practice is

    very noisy, e.g. browser extensions Need a tool to analyze Collecting Reports
  25. None
  26. None
  27. 1. MageCart can be a silent killer 2. Good security

    hygiene reduces attack vectors 3. Security Monitoring fundamental part of application stack Summary
  28. Thanks @bobbyshaw

  29. https://nnt.es/Functional%20similarities%20between%20computer%20worms%20and%20biological%20pathogens.pdf https://developers.google.com/web/fundamentals/security/csp/ https://www.linkedin.com/pulse/magical-thinking-internet-security-paul-vixie/ https://en.wikipedia.org/wiki/Security_breach_notification_laws http://www.mondaq.com/unitedstates/x/165468/Privacy/Data+Security+Breach+Notification+Requirements+In+The+United+States+What+Y ou+Need+to+Know https://speakerdeck.com/mikispag/so-we-broke-all-csps-dot-dot-dot-you-wont-guess-what-happened-next-michele-spagnuolo-and-lukas-weich selbaum?slide=10 https://dzone.com/articles/using-csp-nonces-effectively-with-a-service-worker https://scotthelme.co.uk/csp-nonce-support-in-nginx/