E-commerce retailers urged to implement client-side solutions to detect attacks that break Same Origin Policy
The comforting notion that payment services hosted within iframes offer an effective defense against Magecart attacks has been shaken.
Security researchers at PerimeterX discovered that some cybercriminals have started using a technique capable of bypassing the protection offered by iframes, which are used to embed HTML documents within another.
The tactic allows Magecart attackers to skim credit card data while allowing successful payment transactions to proceed – a factor that makes hacks stealthier and more difficult to detect.
Outsourced payments
Many e-commerce websites outsourcing their payment process to specialist firms that offer PCI Security Standards Council (PCI SSC) compliant services.
In practical terms, online retailers outsource the management of payments by integrating third-party payment scripts that are hosted within an iframe on the checkout page.
“The iframe which is sourced from the payment provider receives the credit card number, CVV, and expiration date in a protected scope, in which the browser enforces a data access restriction as part of its Same Origin Policy (SOP) security mechanism,” PerimeterX explains.
The approach helps to protect payment forms from Magecart and other digital skimming attacks – or so we’ve hoped.
Saturn runs rings around Braintree
One Magecart group tracked by PerimeterX has been hard at work attempting to break the iframe protection on websites using popular payment services including PayPal-subsidiary Braintree, Worldpay, and Stripe.
“They have been successful in one instance with a website using Braintree,” according to PerimeterX.
The successful attack used a digital skimming toolkit called Saturn to compromise the Braintree-hosted fields payment form on a European e-commerce website.
“The attacker modified the Braintree scripts on the e-commerce website and created [a] multi-step attack resulting in injection of a skimmer script into the hosted iframe while still allowing the transaction to be successful,” PerimeterX reports.
In a technical blog post, PerimeterX explains how by bypassing client-side validation, the browser now loads the iframe from a domain the attacker controls.
After first hacking into the website, the attack begins by changing the Magento Braintree payment script to load the client script from an attacker-controlled domain.
READ MORE Magento security: Exploit released for payment plugin vulnerability
“The attacker controlled iframe will load the Braintree credit card collector, along with an additional skimmer script in the same iframe context which will allow it to access the private details,” according to PerimeterX.
“This effectively bypasses the SOP protection the payment iframe would have solved.”
“This stealthy attack technique gives no indication of compromise to the user or the website admin, enabling the skimming to persist on checkout pages for a long time,” PerimeterX warns.
The security researcher disclosed this issue to Braintree and PayPal, as well as the [unnamed] infected website identified in this attack.
PayPal told PerimeterX that the attack relies on a cross-site scripting (XSS) vulnerability, adding that it cannot be responsible for the web application security of their customers’ websites.
The payment giant added that iframes do not protect the website in this scenario.
The Daily Swig approached PayPal for comment on the attack and PerimeterX’s technical write-up, but the payment firm said it had nothing to add to its earlier comments.
The infected site’s owners are yet to respond to PerimeterX, despite repeated requests.
Defense in depth
The incident shows iframe protection cannot stop Magecart attacks, security researchers argue.
“While iframe protection helps the site comply with PCI DSS standards, compliance does not equal security,” PerimeterX concludes.
“In this case, the website doesn’t hold the credit card information, PayPal only approves legitimate transactions initiated by legitimate users and yet the credit card numbers and CVV were stolen.”
“Businesses must use client-side visibility solutions to detect such attacks and mitigate them quickly,” it adds.
PerimeterX told The Daily Swig: “iframe protection still has value for PCI compliance. However that doesn’t prevent payment card data from being skimmed. Website owners need to be vigilant about how their payment scripts behave in order to detect such digital skimming attacks.”
Attack evolution
The latest attacks are an evolution from previous attacks where Magecart attackers used toolkits such as Inter to modify checkout pages and swap out the hosted fields with fake checkout forms that they control, from where they might be able to skim credit card numbers.
These fake pages failed to allow a successful transaction, alerting the paying customer and the site admin that something was amiss and therefore limiting the effectiveness of the attack.
Sys admins alerted to possible problems could restore a clean version of the site and remove the infection. By using the Saturn toolkit trickery transactions can go through and no alerts are generated, resulting in a far stealthier attack.
This story has been updated to add comment from PerimeterX.
RELATED Magecart: How a single skimming case evolved into widespread credit card theft