The Cisco Magecart Attack

September 10, 2024

Georgina Grant-Muller Read Blog: 3 min

The latest notable attack discovered on 2nd September 2024, occurred on the Cisco merchandise website. We explore the intricacies of the Cisco Magecart attack and what we know so far.

Get Started With Free Magecart Detection

Understanding Magecart Attacks

Magecart also known as web skimming attacks, are not a single group but rather a collective of various cybercriminal groups that exploit vulnerabilities in websites for financial gain. These attackers often insert malicious JavaScript code into web pages to intercept payment card data during the checkout process. This intercepted data is then transmitted to external servers controlled by the attackers and sold on the dark web.

Magecart Attack Execution

Attackers utilised several methods to execute the Magecart attack:

Vulnerabilities: The attackers gain access to the ecommerce site, exploiting vulnerabilities within the site’s code. Common entry points include outdated plugins, insufficient access controls or marketing tools.

Injection of Malicious Code: Once the attackers have access, they inject a malicious JavaScript snippet directly into the checkout pages. This code is designed to capture credit card details, billing information, and other sensitive data entered by users.

Data Exfiltration: The stolen data is then sent to remote servers, often using obfuscation techniques to hide the true nature of the outbound traffic.

The Cisco Magecart Incident

On 1st September 2024, Cisco faced a security breach as a result of a Magecart attack, specifically targeting the checkout processes on the merchandise website. This incident not only affected the security of customer data but also raised concerns about the security of the enterprise-level solution.

Discovery and Mitigation

Cisco’s merchandise store is currently offline due to a security incident involving harmful JavaScript code intended to steal sensitive customer information during the checkout procedure. Anonymous researchers have suggested that this breach may be associated with a CosmicSting attack (CVE-2024-34102).

While the specifics of the intrusion are still unclear, it is believed that the malicious JavaScript was injected into the website over the weekend of August 30th. The heavily obfuscated code gathers sensitive information, including credit card details, postal addresses, phone numbers, email addresses, and user login credentials. The malicious JavaScript is highly obfuscated and was delivered from the domain rextension.[net], which was newly registered on August 30.

CosmicSting, a security threat, that affects the Adobe Commerce (Magento) platform, allows attackers to perform XML external entity (XXE) injections, enabling them to insert harmful code into content management system (CMS) blocks within the checkout process.

On September 5th, 2024, a Cisco spokesperson provided the following statement for BleepingComputer:

“We are aware of an issue related to a Cisco-branded merchandise website that’s hosted and administered by a third party supplier. The site has been temporarily taken offline as a precaution while we address the issue, and we are notifying the limited number of site users that we identified as having been impacted by the issue. No employee credentials have been compromised.”

Preventative Measures

Organisations can take proactive measures to fortify their defences against attacks:

Regular Security Audits: Conduct frequent security assessments to uncover vulnerabilities.
Security Awareness Training: Regular training for employees regarding phishing and other social engineering attacks can help reduce the likelihood of an initial breach.
Content Security Policy (CSP): Implementing a robust CSP can limit the execution of unauthorised scripts, reducing the risk of code injection attacks.
Magecart Detection: Leverage advanced monitoring solutions that can quickly identify untrusted scripts to enable rapid response to breaches.

The Cisco Magecart attack serves as a stark reminder of the persisting threats within the ecommerce domain. Organisations must stay vigilant and adopt a comprehensive approach to cybersecurity, encompassing prevention, detection, and response strategies.

As cybercriminals continue to refine their methods, the responsibility lies with businesses to safeguard their platforms and protect sensitive customer information from exploitation. Staying informed and prepared is the best defence against the ever-present threat of Magecart and other cyberattack vectors.

Get Started With Free Magecart Detection

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.