Updates on Supply Chain Level Backdoors and Magecart

It appears that the supply chain level backdoor has been thought of as a viable business model for quite some time. And now people (and governments) are asking the pointy questions.

First Published 12th October 2018

Updates on Supply Chain Level Backdoors and Magecart

For a nostalgic feel, Supermicro's latest quantum prototype comes in this classic retro tower.

4 min read  |  Reflare Research Team

After our briefing last week on Bloomberg's report that hardware backdoors were placed into the hardware of major US corporations, little new solid information has become available. However, US lawmakers have begun sending requests for more information to Supermicro - the vendor implicated in the reports.

This can be seen as mostly posturing. Whether or not Supermicro is involved in any scheme, it is highly unlikely to admit to it. Likewise, since the Bloomberg report quoted ongoing police investigations, querying the results of those would appear to be the easier path to accurate information for the senators.

In the meantime, new reports from Bloomberg indicate that US telco providers might also have been targeted by the same scheme.

Whether or not these claims are accurate is still unknown. As we have stated in our previous briefing, the concept of hardware-level backdoors is very believable and likely already being abused by state actors in preparations for larger cyber attacks. However, there still is no public proof for this particular report and issues such as the overall poor security of Supermicro hardware making dedicated hardware backdoors redundant and questions regarding why a hardware manufacturer would choose to add a chip instead of backdooring an existing chip cast significant doubt.

We will keep you updated as this topic evolves.


We have previously covered attacks on Ticketmaster and British Airways by a hacking group named Magecart. The group usually employs similar strategies of placing malicious JavaScript code onto a target website using either CMSs or third-party plugins which then capture payment data and send it to the attackers.

It appears that the same group has once again struck. Shopper Approved, a service offering review widgets for integration into online stores to customers, was serving code suspected to be placed by Magecart for 2 days before the attack was discovered.

While the attack was discovered quickly when compared to British Airways or Ticketmaster, the 3rd party plugin nature of Shopper Approved’s offering means that the malicious code was likely running on a large number of 3rd party sites using the plugin.

It is therefore unlikely that comprehensive reports on the number of affected users across all victim sites will become available to the public.

Our recommendation on 3rd party plugins remains unchanged: Since they represent a significant risk to any website, they should only be acquired from trustworthy sources and thoroughly vetted before deployment.

Subscribe by email