The Bad Guys Win – Analysis of 10,000 Magecart Vulnerabilities

Presented at Black Hat Europe 2021, Nov. 11, 2021, 1:30 p.m. (40 minutes).

"Magecart" is the common name for an attack in which hackers compromise 3rd party Javascript code to steal information from web-applications or websites that incorporate the code.<br><br>Over the last two years, we monitored the web for vulnerabilities in online infrastructures that enable Magecart attacks or are leveraged in Magecart attacks. Our research also included monitoring additional methods to abuse third-party scripts and bypass the various defense mechanisms that have been put in place to stop these attacks. During this research, we encountered tens of thousands of vulnerable assets, including those owned by governments and global enterprises. Our conclusion from the analysis is that there is no simple solution to defeating Magecart.<br><br>In our presentation, we will go through real-world examples which demonstrate how hackers exploit these vulnerabilities in order to identify the scale of the challenge. We will review common defense approaches that exist today and show why they are not effective. In this defense analysis, we explain the hackers' approach against client-side solutions and why hackers have the upper hand, especially in the context of the enterprise environment. Additionally, we will walk-through a script-less Magecart variant that allows malicious code to execute without modifying scripts, and will present a novel technique to bypass native browser-based defenses as used by enterprises.<br><br>We will present real world examples (that have not been published so far) that affected thousands of companies and will present indications to the fact that vendors do not disclose vulnerabilities to affected companies. Although the situation is not encouraging, there are actions that could be taken to protect organizations and we will present them, as well as summarizing the effectiveness of the different approaches against today's hackers (pros & cons).

Presenters:

  • Nethanel Gelernter - CEO, Cyberpion
    Dr. Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on security of modern infrastructures, and in particular on new attack vectors and threats. Nethanel's work has impacted the most popular online services and triggered design changes in some of the most popular web applications. Today, Nethanel leads Cyberpion, a security company that helps organizations to handle the modern threats on their external attack surface, including handling supply-chain attacks.

Links:

Similar Presentations: