Client Side Security: Magecart Attack Detection Upgrade

March 17, 2020

Georgina Grant-Muller Read Blog: 4 min

We’re excited to announce the release of a major upgrade to our market-leading client-side security feature that detects Magecart type attacks fast. We’ve improved the engine that powers our ability to detect Supply Chain Attacks, Web skimming and Formjacking with our most advanced features to date.

The new version of our Attack Detection (formerly known as Magecart Detection) engine is now powered by two of our key monitoring tools: synthetic monitoring (via User Journeys) and Real User Monitoring to protect the pages that are the most important to your business plus we have added a Client Side Security Scanner dedicated to detecting Magecart attacks and the ability to easily manage everything from a centralised dashboard.

We can now examine more data points than ever before – helping us to understand exactly where your customer’s information is being sent to, allowing you to both proactively and reactively detect data breaches on the client side faster than ever.

How Attack Detection Works

The Synthetic Attack Detection is the machine-driven part of the engine. This automated monitor continuously walks through the critical areas of your website. It will see any data sent to untrusted hosts as it browses, exactly like a real customer in a controlled environment.

When configuring the monitor, you can choose the areas of your site which you need to protect – e.g. any areas where users submit sensitive data – login pages, checkout/payment pages, and forms. The synthetic User Journey then runs on a continuous cycle, looking for new hosts and scanning for tell tale signs of a potential Magecart attack. If it spots anything suspicious, you’ll be alerted as soon as it happens. This means it could potentially alert you even before a data breach occurs.

Client Side Security Scanner: Potential Issue Found

The major addition is the NEW Real User Attack Detection engine essentially making all your website users into data breach security bots. When a real user visits your protected page, information is collected on where their data is being sent. RapidSpike will list all hosts detected, so you can review the data locations of potentially compromised data. If a malicious destination is added to your website, it will appear in your untrusted hosts for you to investigate.

NOTE: None of the data RapidSpike captures is personally identifiable so our engine is 100% GDPR compliant.

Filtering

Security tools often provide a lot of false positives. To customise your Magecart Detection we’ve included a filtered view. This allows you to fine-tune sensitivity to reduce any unwanted noise. This filter is completely customisable to your needs. We recommend setting the filter between 20-40%. E.g. if you filter by 20%, the monitor will alert when hosts are seen by a minimum of 20% of your real users. This setting helps you gain a thorough understanding of hosts affecting customers without picking up on customer specific plugins which only affect a few of your customers. You also have unfiltered results so if you need to review everything you still can.

Client Side Attack Detection: Filter Settings

Trusting Data

When you’ve decided a discovered host is safe, you can click to “Trust” it. This will add it to your personal whitelist and remove it from your dashboard.

Client Side Attack Detection: Trusting Hosts

To help with the trusting process we’ve created our own list of Safe & Unsafe hosts. These lists have been created to help give you a steer on if a host is common and safe or known to be dangerous. The Unsafe list is compiled from some of the world’s most comprehensive hacking databases.

However, if the host is unknown (there are millions and millions of destination hosts across the world!) we’ve added a number of research routes to every host to help you understand whether the host is a problem.

All new data collected will be listed as “untrusted” until you decide to either; a) trust the host, investigate it and remove it, or b) delete it from your untrusted host list.

Client Side Attack Detection: Trusted Whitelist

Attack Detection Alerts

The alerts have remained very similar to how they were on our old Magecart Detection tool. You can change the frequency of your testing to suit your needs. You can also receive notifications on a variety of channels including; SMS, email, voice call, Slack channels, WebHooks, PagerDuty, Pushover and Microsoft Teams/Office 365.

The new Client Side Attack Detection engine is now live on the app!

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.