Back to news

What is Magecart? And How Can Shoppers Protect Themselves?

December 18, 2018    |    Cyber Security    |    Lydia Pert

The holiday shopping season is in full swing, which means cybercriminals are working overtime to take advantage of the increased online shopping transactions. It’s essential for you to protect yourself during this time of the year, and we have plenty of tips in our blog to help you keep your information safe and secure from hackers. But keep in mind the cyber world is always changing; it’s important to educate yourself and adopt new habits so you can be prepared for anything and everything. For instance -- have you ever heard of “Magecart”? It’s one of the more recent cybersecurity threats, and it’s causing a lot of trouble for online retailers and their customers.

 If you have never heard the name Magecart, you’re not alone. Magecart is the name used to categorize the tactics of at least six different hacker groups that have been on the cybercrime scene since early 2016. Despite being around for a couple years, they just started gaining mainstream attention due to pulling off a string of high profile e-commerce attacks this past year. They have been able to successfully attack Ticketmaster, British Airways, Newegg, and several other major companies. In fact, they are responsible for most of the major hacks you saw in the news during 2018. There are so many companies discovering that they’ve been targeted by Magecart hacking, it’s safe to assume there are even more that have been breached -- but don’t know it yet.

How Does Magecart Operate?

Magecart methods are simple, but highly effective. They hack into retailer websites and insert card payment “skimming codes” (digital versions of the card skimmers criminals place in ATM machines) and are then able to read and record the names, card numbers, and security codes of shoppers using the website. Then, once the hackers have the info they want, they sell it on the dark web to other cybercriminals who specialize in money laundering. This method is very difficult to detect, and in a lot of cases these hackers are able to funnel sensitive consumer information for months at a time without being discovered. If retailers do become aware and resolve the security breach, the Magecart hackers simply move on to another target.

Magecart hackers are not alone in their efforts; many hackers use similar methods to obtain payment information through websites that would otherwise be safe and secure. And, unfortunately for online shoppers, a lot of the standard security tips do not apply when it comes to hacks involving digital card skimmers. That’s because these hackers are not hacking into your device -- they are going directly into the websites of major retailers and stealing information from there. So any information you submit to those retailers is at risk.

What Can I Do to Protect Myself?

It’s still extremely important to practice standard cybersecurity this season, especially by using a VPN when shopping on public Wi-Fi. A good VPN acts as a tunnel to protect your data from being compromised while transmitting from your device to an online retailer. But even as important as VPNs are, they can’t protect your data once it has left that tunnel. Once your data leaves the tunnel and is submitted to the online retailer, it’s up to that retailer to protect it. And if that retailer is compromised, any information you give them is also going to be compromised.

Retailers are partnering with cybersecurity experts to prevent these invasions, but you still need to be proactive when it comes to protecting your private information. Remember: nobody can take care of your data the way you can. It’s important to only shop at retailers you know and trust, with a proven track record of protecting customer information. Magecart could target any retailer, but the attacks are less likely to be successful when the company has strong security measures.

During your last-minute holiday shopping, the best security measures are to check your financial accounts on a regular basis for any unauthorized transactions, and use PayPal or Apple/Samsung/Google Pay whenever possible. These payment platforms basically work as intermediaries for your financial information, which can protect you from Magecart hackers. For example, if you want to make an online purchase with Target, you can choose to check out through PayPal. You essentially pay PayPal, then PayPal pays Target on your behalf, which means Target never has access to your payment information in the first place. Even if they become compromised by Magecart, your information is still protected.

Magecart is an intimidating new force, but remember: you’re never helpless. Just tweak your internet habits a bit, and you’ll be able to have a safe and happy holiday shopping experience.


Better Safe Than Sorry