Macy’s, Magecart, Black Friday, and JavaScript Code Injection

by Will Munroe

Macy’s became the latest in a long list of victims who have been attacked by different cybercriminal syndicates collectively referred to as Magecart. Others include British Airways, Ticketmaster, and Newegg. Ends up, thousands of eCommerce websites can be easily compromised by “formjacking” attacks that use JavaScript skimmers and sniffers to skim customer credit card and PII data from shopping cart pages.

Why is the attack so prevalent?

Many companies deploy web applications without fully considering the implementation of even basic security controls. Best practices like encrypting PII data or obfuscating software code may be overlooked during development, QA, and deployment. Other companies do not keep their underlying content management system or the eCommerce applications patched and up to date. For attackers, it is simple to find these weaknesses and inject malicious code that enables them to steal payment and other information.

 

So what can be done?

In the security industry, the answer is often to throw more technology at the problem, but in the case of formjacking attacks, like many of the attacks that have persisted for years, the answer should be better training. Training that is focused on developers to ensure their code is secure. Training for both security team members and developers to improve their ability to identify code vulnerabilities, and training for security operations teams to enable them to recognize and contain formjacking attacks, or cross-scripting attacks or sequel injection attacks and all the other time tested favorites of our adversaries. The need for this is even more relevant, given the proximity to Black Friday and the holiday shopping season.

On-Demand Training and Simulation

RangeForce delivers close to 100 online training modules with tracks covering security operations, DevOps, and 46 modules focused on web application security (WASE) skills. WASE subjects include everything from SQL and Command-Line injection methods and detection techniques to cookie security, to finding and fixing file path traversal vulnerabilities. Other modules train web application developers on how to build basic security into their applications before they are deployed, and SOC training modules to teach teams how to detect and contain a formjacking attack.

Most importantly, RangeForce’s training platform includes hands-on simulations for each stage in the training. Cyber Pros can roll up their sleeves and get their hands dirty working at the command line level while dealing with a real attack and its fallout.

Virtual simulation training is a proven learning methodology for complex subjects like cybersecurity. It is also a lot less expensive than deploying some new security technology that claims to solve the problem. Remember, the three pillars of security are people, process, and technology. Maybe it is time to put more effort into the training pillar. Perhaps it is time to take a look at RangeForce.

 

Related posts

(AR)² Readiness Program™

Learn More about (AR)2

Get a custom demo

Take your team's cyber readiness to the next level

Request Demo