The Magecart threat and how you can mitigate the risk to your - - PowerPoint PPT Presentation

the magecart threat and how you can
SMART_READER_LITE
LIVE PREVIEW

The Magecart threat and how you can mitigate the risk to your - - PowerPoint PPT Presentation

May 18, 2023 150 likes •471 views

15:20 15:40 The Magecart threat and how you can mitigate the risk to your organisation Benjamin Sims Founder Tech City Labs #teissamsterdam1 9 MAGECART: HOW TWO HUGE COMPANIES LOST 450,000 CUSTOMERS DETAILS AND HOW YOU CAN STOP IT

slide-1
SLIDE 1

#teissamsterdam1 9

The Magecart threat and how you can mitigate the risk to your organisation

Benjamin Sims Founder Tech City Labs

15:20 – 15:40

slide-2
SLIDE 2

MAGECART: HOW TWO HUGE COMPANIES LOST 450,000

CUSTOMERS’ DETAILS AND HOW YOU CAN STOP IT HAPPENING TO YOU

slide-3
SLIDE 3

ABOUT ME

  • Founder of Tech City Labs
  • Background in data engineering and security
  • Advise law firms on litigation around hacking,

phishing on fraud cases

DATA DETECTIVE

Benjamin Sims

slide-4
SLIDE 4

ABOUT THIS TALK

  • Based on public information and (a little)

speculation

  • No inside knowledge
  • Check out riskiq.com
slide-5
SLIDE 5

TICKETMASTER

slide-6
SLIDE 6

BRITISH AIRWAYS

slide-7
SLIDE 7

WHO DID IT?

  • ‘Magecart’
  • Background in shopping cart hacks
  • Actually 6 or 7 groups
  • Card numbers sold on to carding

forums in bulk

slide-8
SLIDE 8

MORE AND MORE SOPHISTICATED

  • Deliberate targeting
  • SSL certificates
  • Infrastructure designed to blend in
  • A whole industry: marketplaces, specialist

suppliers

slide-9
SLIDE 9
  • Names
  • Addresses
  • Credit card numbers
  • Phone numbers
  • CVC codes

DATA LOST

slide-10
SLIDE 10

3RD PARTY JAVASCRIPT INJECTION:

slide-11
SLIDE 11

EVERY WEBSITE AFFECTED

91

slide-12
SLIDE 12

THE TICKETMASTER HACK HACK

slide-13
SLIDE 13

WHAT IT WAS SUPPOSED TO DO

slide-14
SLIDE 14

INCLUDED ON EVERY PAGE ON THE SITE

slide-15
SLIDE 15

… AND SOMEBODY HACKED IT

slide-16
SLIDE 16

… TO INCLUDE SKIMMER CODE

slide-17
SLIDE 17

PEOPLE START TO NOTICE

April 12th (28 days) Text May 10th (46 days)

slide-18
SLIDE 18

BRITISH AIRWAYS

  • Targeted attack, script highly modified to

work only on ba.com

  • Hidden in edited version of the open source

Modernizr library

  • Hosted on BA’s *own website*
  • Most likely the CMS compromised in some way
slide-19
SLIDE 19

PEOPLE START TO NOTICE

slide-20
SLIDE 20

PEOPLE START TO NOTICE

Text: 6th June (73 days)

slide-21
SLIDE 21

THEY REALISE…

130 days, 40,000 sets of user details (in the UK)

slide-22
SLIDE 22

BRITISH AIRWAYS

14 days... 380,000 customer details taken

slide-23
SLIDE 23

MANY MORE

slide-24
SLIDE 24

HOW TO AVOID BEING THE NEXT VICTIM?

  • 1. Who can make changes?
  • 2. Who have you trusted?
  • 3. Listen to your users and partners
  • 4. Technical solutions
slide-25
SLIDE 25

WHO CAN MAKE CHANGES?

MARKETING? DESIGN?

slide-26
SLIDE 26

WHO HAVE YOU TRUSTED?

slide-27
SLIDE 27

LISTEN WHEN PEOPLE TELL YOU YOU'VE BEEN HACKED

slide-28
SLIDE 28

TECHNICAL SOLUTIONS

  • iFrame sandboxing
  • source code monitoring
  • SRI
slide-29
SLIDE 29

SRI

  • Subresource integrity checking

Magecart don't want you to know this one simple trick!

  • W3C recommendation from 2016
  • Supported by 90% of browsers
slide-30
SLIDE 30

ALL YOU NEED TO DO

srihash.org

slide-31
SLIDE 31

Available for questions / consulting

benjamin@techcitylabs.com @techcitylabs