News Insights: P&G Online Beauty Store Hacked to Steal Payment Info

Deepak Patel, security evangelist at PerimeterX, provided the following comments:

“Magecart attacks are happening at an alarming pace. British Airways, Delta Airlines, Ticketmaster, Newegg, customers of the Volusion e-commerce platform, hotel booking sites in Spain and France, Garmin and now a P&G property – the list is long and will continue to grow. It begs the question: What makes Magecart attacks so unique?

“Magecart attacks exploit the website supply chain, including vendors who provide functionalities like product reviews, analytics and inventory management. These third-party vendors often lack adequate security controls to prevent code injection. Also, the scripts loaded from third-party sites execute directly on the user’s browser and communicate with third-party servers without traversing any infrastructure managed by website owners. This visibility gap on the client side, coupled with the weak security controls of third-parties, allows Magecart attackers to continue their skimming attacks undetected.

“Using content security policies (CSPs) or subresource integrity (SRI) checks may stop some of these attacks. But, CSPs and SRIs have been proposed in the past as techniques for server-side formjacking and have proven to be cumbersome and difficult to maintain. Given the dynamic nature of today’s JavaScript code and third-party scripts and libraries, website owners should consider real-time monitoring of script executions for every user from within the browser.”