Credit card theft through tracking scripts: How to protect yourself

Hackers manipulate third-party tracking scripts to steal payment information from millions of consumers on numerous websites. Cliqz and Ghostery block these scripts.

Trackers who steal

Björn GreifEditor

Almost every website today contains trackers that collect data about you and monitor your browsing behavior. This is usually done for analytics, marketing or advertising purposes. However, trackers not only pose a threat to your privacy, but can also be a serious security risk. Therefore, you should block them in any case – even if you think you have nothing to hide.

During the course of this year, a series of attacks called “Magecart” have become known, in which hackers placed malicious scripts on e-commerce websites to steal credit card information. In total, several hundred sites were or are still affected, including British Airways, Ticketmaster, NewEgg, VisionDirect and Southeby’s. Hackers were able to steal payment information from millions of consumers with this method.

Beware of tracking scripts on payment pages!

In all of these attacks, the entry point has been a malicious script. When such a script is placed on a payment page, the attacker can read all of the information entered, including credit card number, CVV, and more.

In order to infect as many websites as possible as quickly as possible, hackers try to insert malicious code into third-party scripts that are embedded on many different websites. Therefore, any script loaded on a payment page is potentially a critical security weakness. Accordingly, the inflationary use of third-party scripts, which are often too carelessly and recklessly implemented into pages by web developers or site operators, must be viewed critically.

Cliqz and Ghostery protect your data

All Magecart attacks rely on collection servers to receive the stolen data. If you know the server address, you can put it on a blocklist and prevent the browser from sending data to this server. Therefore, even when sites are compromised with malicious scripts, this code will not be able to contact the hacker’s server.

Cliqz and Ghostery already use such a blocklist in their browsers and anti-tracking tools to block these collection servers. Users are thus protected against the theft of their credit card information by Magecart hackers.

An analysis of the attack methods and a list of Magecart affected sites during November 2018 can be found in the article “The Trackers Who Steal” on