Yet another cyber security concern for ecommerce startups

Startups looks at a cyber security concern that faces ecommerce startups and major online shops alike: Magecart attacks.

In its late November 2021 article, ‘Preparing for phishing attacks this Black Friday’, Startups looked at why phishing scammers are especially active during Black Friday. And as the piece touched on, alongside phishing attacks, there is also a part of ecommerce hacking known as ‘magecart’. This article looks at what magecart is and what it means for online shops.

What is Magecart?

Magecart is a cybercrime syndicate which carries out a type of digital skimming attack using online payment systems. Digital skimming (aka online card skimming) is the general term for a process by which online shoppers’ financial details are jeopardised by a malicious actor who attempts to do one or both of the following:

  • Skim the payment data from an unsuspecting online shopper’s already-filled-out payment form
  • Lead an unsuspecting online shopper to a fake checkout page where their payment data can then be compromised

What makes a Magecart attack different to a traditional form of digital skimming is that the former involves a Magecart hacker injecting JavaScript code to, not only skim an online shopper’s financial data, but outright manufacture a fake checkout page to defraud the user. This is owing to the notable vulnerabilities found in online checkouts’ payment forms, and this is even found in respected payment gateway software. In fact, the term ‘magecart’ is a portmanteau of the leading ecommerce software ‘Magento’ and its digital ‘cart’ that customers use for online transactions.

Just one example of a Magecart attack is when an actor interferes with an ecommerce site’s JavaScript, allowing them to add further payment form fields: this then tricks the customer into revealing more sensitive information than their seller requires of them. This problem has been compounded by the fact that online shops, especially startups, are increasingly reliant on third-party payment gateways. While the use of third parties brings small businesses more ease in setting up their online transaction system, it also means that these organisations are left with less control of their own ecommerce software coding – and their customers could suffer as a result.

Preparing ecommerce businesses

Often, ecommerce startups and SMEs are unaware (or even unconcerned) about the importance of cyber security. Perhaps this stems from the fact that many entrepreneurs falsely believe that it’s really only the major companies that, being more well-known, are likely to be targeted by magecart attackers and other malicious actors.

While major businesses, such as British Airways, have indeed seen their customers attacked by magecart attackers, this is still no reason for startups and SMEs to drop their guard. Indeed, startups especially should still be cautious, as regardless of their size, new companies are especially vulnerable because a lot of cyber security expertise is learned on the job over time. And this means that many entrepreneurs who are fresh to ecommerce will not have had long enough to benefit from such experience in online safety.

As the stay-at-home restrictions against COVID have led to an unprecedented increase in online shopping, now especially, one of the most frequent career choices for modern entrepreneurs is in initiating ecommerce startups. But the downside of such online earning potential is that the sheer scale of ecommerce brings all the more cause for the online shopping industry to prove a hot zone for hackers. And an important way for business owners to be prepared is to act on the fact that many cyber security attacks are opportunistic. This means remembering that, big or small, new or old, any vulnerable ecommerce site can be found online and exploited, even by hackers who initially would never have heard of their chosen target.

As is so often the case, the proper research and communication are critical for entrepreneurs to protect both their reputation and their customers. The best advice to ecommerce entrepreneurs can be found by searching online for guidance from those whose careers hinge on cyber protection. This includes software security companies, ethical hackers – and, of course, those online retailers who have themselves encountered the Magecart attackers.