1. InfoconDB
  2. OWASP
  3. Global AppSec - DC 2019
  4. Fighting Formjacking and Magecart - Separating fact from fiction

Fighting Formjacking and Magecart - Separating fact from fiction

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 4:30 p.m. (45 minutes)

Formjacking attacks are simple and lucrative: cybercriminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month. Both well-known and small-medium businesses were attacked, conservatively yielding tens of millions of dollars to bad actors last year.” - Symantec 2019 Internet Security Threat Report There are several ways to distribute Formjacking scripts, from browser add-ons to malware on the machine; but the most popular way is compromising the site's 3rd party JS and using them to hitchhike to all of their clients. Because 3rd party scripts are loaded directly into the browser from remote servers, they are out of bounds for traditional security solutions like Firewalls, WAF’s and such. They are also tough to monitor, as their behavior may change from user to user, making their actions very hard to analyze. However; these scripts share the same level of access to a webpage as the website’s internal scripts. Every script on the page, can have access to every field, manipulate the content of the page and even record keystrokes. Millions of users were affected by this attack in the past year alone, being the favorite tactic of the Magecart groups (named so for targeting Magento based sites) and many high profile hacks, from Delta Airlines to British Airways, Ticketmaster and more. The recent rise in Formjacking attacks created much noise, pointing to multiple technologies to try and close this gap; from CSP and SRI to proxying JS to control JS actions on the page and real-time sandboxing. These said with such passion that none are discussing the drawbacks of each approach. In my presentation, I cover all approaches, show real-time demos of Formjacking code, how the advocated methods can block it, and if and how can these be easily circumvented.

Presenters:

  • Avital Grushcovski - Source Defense
    An entrepreneur at heart, Avital is first and foremost a creator and a problem solver. For many years, Avital has brought cohesion to the security, professional services, R&D, and marketing efforts of organizations; finding the balance needed to move the company forward while keeping the big picture and company vision in his sights. Understanding that to understand a product you must understand how it “thinks,” not how it works, Avital will always dive into the depts of any product and organization he works in, always hands-on, and always leading by example

Links:

Similar Presentations: