Published on May 12th, 2021
Written by Sanjay Sawhney, Co-Founder and VP of Engineering

E-commerce is booming, so are Magecart attacks

The global e-commerce economy continues to grow with nearly $26.7 trillion spent in 2020. Website owners have an obligation to protect their sites, their data, and their customers to ensure the integrity of online transactions. They face increasing pressure to safeguard against browser-side attacks like Magecart.

When Magecart attacks first began back in 2015, they primarily targeted open-source Magento e-commerce platforms. Today, no online shopping platform is safe. In fact, one multi-functional script was found to have been coded to collect data from an incredible 57 different payment platforms. These attacks are part of a massively growing trend of targeting browser-side website vulnerabilities to launch JavaScript card skimming attacks. There is clearly a lot at stake.

Ultimately, trust matters in e-commerce. Without it, customers will alter their purchase preference. According to a survey, 62% of consumers have abandoned an online transaction due to concerns over security. As such, website owners must do all they can to ensure the integrity of e-commerce. Despite these concerns it seems security is lagging as evidenced by Dark Reading publishing that 2 million websites are infected with skimmers on the cusp of the 2019 holiday shopping season.

Understanding that security fosters trust, a Shopify partner offered a number of recommendations for ensuring website security. Shopify operates as the world’s 2nd largest e-commerce platform and the set of prescriptive advice for ensuring the security and integrity of online commerce provides a good framework for website owners to consider as they endeavor to secure their web assets. The following recommendations have been extracted directly from the article.

13 ways to start building Magecart protection

Feature Explanation
Security must be part of the development process

Security should integrate with CI/CD pipelines and provide risk analysis before deploying in production environments

Use a modern framework that handles security automatically

Consider automation to assist customers with deploying industry-standard security functionality

Avoid typical XSS mistakes

Content Security Policy (CSP) covers a wide range of XSS attacks

Consider Trusted Types

Trusted Types safeguard against XSS attacks by allowing the locking down of dangerous injection sinks.

Consider using textContent instead of innerHTML

Identify all uses of innerHTML within the web app and replace with textContent

Compartmentalize your application

Website architecture dependent

Be careful when using Google Tag Manager

Define the relationship/ownership of Tag Management between organizational security and marketing functions

Be more selective with third-party scripts

Create and continuously monitor a comprehensive inventory of third-party scripts

Audit your dependencies

Website architecture dependent

Use Sub-resource Integrity for third-party CDN hosting

SRI provides a hashing function to ensure site integrity

HTML encoding is not enough

Protect against XSS and other advanced threats

Implement CSP

CSP offers standards-based security defined as sophisticated allowlists for effective security.  CSP is best when used in conjunction with other security mechanisms to provide an effective defense-in-depth mechanism.

Be mindful of what you’re exposing

Create an inventory and map all user data that is exposed to third-parties

The recommendations above are a good starting point for implementing website security. However, many organizations can become quickly overwhelmed with the perceived complexity of some of these recommendations. As such, considering a vendor that can assist with the activation of these capabilities can accelerate deployment of this key functionality and reduce the administrative burdens on often over-burdened staff.

Tala automates standards based security

Tala Security is such a vendor and protects modern websites and web applications from critical and growing threats, such as cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. Tala prevents attacks by automating the deployment and dynamic adjustment of standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards.

The activation of these browser-native security controls provides comprehensive security without requiring any changes to the application code and with no impact to website performance. Tala’s product is powered by an AI-assisted analytics engine that evaluates over 150 security relevant indicators to automate the generation, implementation and updating of security policies. Tala also provides customers with streamlined alert analytics and incident management. Today, Tala serves large enterprises in verticals such as financial services, online retail, payment processing, hi-tech and fintech.

Tala offers a compelling set of capability for immediately addressing the above-referenced website security capability set.

Sanjay Sawhney, Co-Founder and VP of Engineering

Sanjay Sawhney, Co-Founder and VP of Engineering

Sanjay Sawhney is the co-founder and VP of Engineering of Tala. Sanjay is an experienced, engineering leader, technologist and entrepreneur who has worked for 25+ years in various engineering capacities in both well-established companies as well as startups. Most recently, he spent 9 years at Symantec managing Symantec Research Labs, one of the key innovation engines of the company. Prior to joining Symantec, he co-founded two companies and led their engineering – Neoscale Systems, a data encryption company, and Ukiah Software, a network security company. Earlier in his career, he has worked in various engineering positions at Novell. Sanjay received a B.Tech. in Electrical Engineering from Indian Institute of Technology, Delhi, and an M.S. in Computer Science from University of California, Santa Barbara.

Find Sanjay on LinkedIn


Sign up for our Newsletter

Hand-picked security content for security professionals.