bloomicon -

JavaScript skimmers: An evolving and dangerous threat

Cyber attacks exploiting Magecart JavaScript skimmers are spiking during the coronavirus pandemic, and like biological viruses, they just keep evolving

JavaScript is a key and oft-used technology for web developers in the creation of interactive web pages, but its ubiquity has not gone unnoticed by cyber criminals looking to weaponise the programming language against organisations.

In fact, the language is key to the fabric of the online world, with it being used client-side by 95% of all websites. A unique attribute of JavaScript exploits – mechanisms for the illicit and unintended use of the technology – is that they occur beyond the realm of the corporate network and, therefore, outside the parameters of traditional security controls.

Savvy cyber criminals operate within this blind spot to compromise users while going unnoticed for weeks or months. 

One area particularly vulnerable to these threats is in the vast and lucrative world of e-commerce. Cyber criminals plant webform-skimmers deep inside an organisation’s JavaScript to intercept customer credit cards details in dragnets across the web.

Massive and very high-profile breaches have brought JavaScript threats into the public consciousness, perhaps the biggest of which being the 2018 breach of the UK’s national flag carrier, British Airways (BA). The hack of the fortune-500 company resulted in the exfiltration in half a million credit card numbers, shattering public trust. To add to the airline’s woes, the Information Commissioners Office (ICO) announced its intention to fine BA £189.39m for the breach of its customers’ data.

The dawn of the 2020s has heralded evolutions in JavaScript threats, as ever-innovative cyber criminals develop new means through which to victimise organisations and consumers. At the forefront of this activity is Magecart – a shadowy online criminal syndicate comprised of dozens of subgroups that specialise in credit card theft through skimming online payment forms.

Magecart breaches are now detected hourly and cyber security companies have observed millions of instances of skimmers being used across the net. Attacks from the syndicate range from amateur to highly sophisticated actors pushing the boundaries of what Magecart can achieve. As time progresses, Magecart attacks are, as a rule, becoming more advanced.

Read more about Magecart

Magecart operatives will carefully study the e-commerce platforms of large organisations to gain insight into their inner workings and hidden vulnerabilities.

The modus operandi is to develop custom-built skimmers in line with a targeted website’s appearance and functionality; this allows for the seamless interception of credit card data and other types of information usually off-limits to skimmers. For example, Magecart will skim information typed into online shopping profiles, in which customers save names and shipping addresses.

This enables Magecart actors to combine skimmed PII [personally identifiable information] with its corresponding financial data to create “fullz”, packages of highly valuable data to be sold on the black market. Like castles, websites will always have vulnerabilities and strongpoints; attackers simply need time to study their targets and identify where the vulnerabilities are.

Other Magecart groups have focused on third party web service organisations, whose widgets are used widely in the websites of well-known and visited brands. By compromising one of these services they effective compromise all sites that make use of that service. 

As sharks are drawn to blood in the water, criminal groups will be attracted to ecosystems proven to be lucrative. For example, Magecart 4 – which previously specialised in banking malware – has turned instead to skimming attacks. This results in a concentration of talented cyber criminals drawn to this threat vector and focusing on the advancement of skimming. It no longer matters what method of online payment organisations choose to employ; given enough time, cyber criminals will find its vulnerability. 

How to stave off the skimming threat

Given the dynamism and persistence of skimming threats, it’s crucial that organisations develop thorough defences to guard against a worst-case BA scenario.

The trick to remaining safe is through extensive knowledge and visibility of the organisation’s web-facing digital assets and their underlying JavaScript, regardless of whether it was developed by the organisation or loaded from a third-party provider as a service.  As this code executes on the user machine, seeing the world through the eyes of the user can highlight malicious changes that would otherwise go unnoticed.

However organisations choose to defend themselves, a certainty is that as JavaScript threats continue their inevitable advance, and the complacent will be punished.

Fabian Libeau is EMEA vice-president at RiskIQ.

Read more on Data breach incident management and recovery

Data Center
Data Management