Magecart – A Victim’s Perspective

Georgina Grant-Muller Read Blog: 6 min

We’ve discussed Magecart very frequently in recent months and it’s getting worse, with new attacks coming to light on a weekly basis. At RapidSpike, we are committed to raising exposure on these types of attacks and educating companies as to how they can effectively detect data breaches and reduce their exposure to them.

Last year…it got personal. A family member of one of the team here at RapidSpike had their financial information stolen in the Vision Direct Magecart attack. (For more detail on that attack, including how the hackers infiltrated the site, check out our post here: Data Breaches by Example – Vision Direct.)

The Vision Direct data breach occurred over 5 days from 3rd-8th November 2018 and affected 6,600 customers.

A malicious JavaScript file was injected into the Vision Direct website posing to be a legitimate Google plugin. Vision Direct addressed the data breach stating; ‘Personal and financial details of customers were compromised. That data includes full names, addresses, telephone numbers, email addresses, passwords and payment card data (card numbers, expiration dates and CVV numbers).’

The affected customer spoke to RapidSpike explaining; “I felt sick to my stomach when I found out someone else had my card details, even though I got my money back, it’s shaken me up and made me feel very conscious about purchasing items online.” They went on to say, “When you order from a company you trust them to have proper security in place to protect customers.”

Reputational Damage

According to General Data Protection Regulations, companies who face a data breach have to disclose it to customers within 72 hours. Additionally, ZDNet reports ‘If the UK’s Information Commissioner’s Office (ICO) finds that a company has failed to take adequate and reasonable steps to protect customer data, this can result in fines of up to €20 million or four percent of annual global turnover, whichever is higher.’

Data loss and ICO fines can be seriously impactful to a company. However it is the reputational damage that can be the most devastating consequence of a data breach.

DataQuest’s Director Manoj Dhingra explains, “A data breach is the worst possible thing to happen in an organization more so because it’s not just about the data loss, it is also a major loss of company’s hard-earned prestige.” However, he goes on to say, “if the organization is following proper data security measures and also with help of established data care provider it is possible for them to recover the lost data and retain business continuity.”

Corne Mare, Director of Security Solutions, Fortinet Australia, agrees that damage can be managed explaining “While immediate business performance may be impacted following a breach, it seems the market is quite forgiving of most companies when it comes to compromised data in the long term. And there is evidence that consumer and investor trust is not necessarily broken after a data breach.”

There are exceptions though, Mare explains how International Airlines Group share price has not recovered since British Airlines was hacked last year.

Upon being asked about their feelings towards Vision Direct, our affected Vision Direct customer said; “Vision Direct handled the situation very well, they told me two days after the incident and the team were very friendly and helpful, this being said I do feel as though I am very wary of buying from them again.”

Magecart aren’t going anywhere…

Magecart are running a large-scale operation, with Security Boulevard reporting that over 185,000 payment card details were stolen by Magecart during the past year. Symantec’s Internet Security Threat Report states Formjacking alone compromises 4,800 sites per month and in 2018 Supply Chain attacks were up 78% on the previous year.

You might expect a breached company to take all security precautions necessary to secure customer data. However, Security Researcher Willem de Groot has been tracking Magecart attacks since 2015 and explains that the average reinfection time is just 10.5 days.

In the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times. This can be seen in a recent attack reported at the start of this month, involving the compromised American Medical Collection Agency’s payment portal responsible for the Quest Analytics and LabCorp data breaches of nearly 12 million patients details. This is not the first breach for Quest Analytics as they are dealing with their second in 3 years.

The question this proposes is how long should customers continue to trust brands who don’t commit to improving security after a breach? Asking the affected Vision Direct customer they state; “If a company revealed my personal details for a second time, there’s no chance I would purchase from them again. They quite clearly don’t care enough about looking after my information.”

“Significant Stress and Heightened Anxiety”

Ticketmaster is hit by a £5 million legal action for their Magecart attack which affected 40,000 customers over a 4 month period in June 2018. The attack occurred due to malicious scripts on a third-party customer support product by Inbenta Technologies.

Hayes Connor Solicitors are representing 650 customers claiming damages against the company. Kingsley Hayes, Managing Director at Hayes Connor Solicitors explains how many had “suffered multiple fraudulent transactions”, while a third endured “significant stress and heightened anxiety” after attempts were made to hack into their emails.

The stress a data breach causes to consumers is rarely spoken about. Customers are the ones who have to deal with changing their credit/debit cards, personal passwords and securing their other online accounts. Changing personal details can be stressful due to the urgency involved. Even after changing details many customer’s details will remain the same including their name, address and telephone number. This is another unsettling detail which consumers have to deal with.

Speaking to the affected Vision Direct customer they had this to say: “It’s a worry I shouldn’t have.” RapidSpike couldn’t agree more, which is why we have created a Data Breach Monitor which takes this stress away from companies and their customers.

What can customers do?

It simply isn’t plausible for consumers to be expected to not have and use a debit or credit card. An analysis reported by consultancy.uk explains online retailers saw a heightened expansion of 15% at the start of 2019 compared to 4% from traditional retailers.

RapidSpike recommend consumers to check banking transactions on a regular basis and report any suspicious activity to your bank immediately.

It isn’t the customer’s fault a data breach occurs, which is why the responsibility should be handled by companies. Increased stress for the customers affected by a data breach can cause an emotional and mental strain, as well as a lingering lack of trust for the breached company. A combination of cybercriminals, poor configuration and a lack of monitoring are the cause of data breaches. Companies need to manage this threat through monitoring and security solutions.

Part of our core mission at RapidSpike is to help make the internet safer for companies and their customers. If you are reading this and your details have been compromised due to a magecart attack, or it’s something that you worry about, tweet the company with;

Hi @companyname, please improve your website security with the @rapidspike Data Breach Monitor. #MagecartMonitoring

Sending them our way will ultimately improve security for thousands of people.

You can catch up on all the data breaches of the previous month in our blog Magecart Monthly: May.