The past few years have seen the emergence and rapid growth of a new threat to websites: Javascript skimmers, also called Javascript sniffers. We shall cover some more general observations about Javascript skimmers and get into a bit more detail about what Trusted Knight has seen in the course of our research.
1. Javascript skimmer attacks are actually a hybrid of server-side attacks and endpoint malware.
While the initial compromise may be on a web server to implant malicious javascript code, the code itself operates more akin to endpoint malware such as form-grabbing keyloggers. Still one of the most common forms of malware affecting end-users, keyloggers, and banking trojans evolved over a decade ago as a way to evade the security infrastructure banks and financial institutions had started placing around their online platforms. Rather than steal from online banking websites directly, form-grabbing keyloggers work by using malware to infect the bank's customers and then stealing banking credentials and other data directly from their web browsers as thy access the banking site. Similarly, with Javascript skimmers the javascript runs locally in the user's web browser, skimming a copy of sensitive form data as users interact with the web page: often payment data but also login credentials and other sensitive information. The data is then exfiltrated directly from the user's computer to the criminal's command and control (C2). Thus the data is stolen beyond the visibility of the business as well as outside of the security controls and defenses they would typically have around their web server infrastructure.
2. Often still called “Magecart,” these Javascript skimmer attacks have spread beyond their origins.
The term “Magecart” was originally used to refer to the malware kit used by one of the first groups to popularize this technique since they used it to great effect on websites that used the Magento ecommerce platform. As other groups copied the technique usage of the Magecart term grew until now it is even sometimes used to refer to Javascript skimmers that are not even targeting Magento-based websites. In fact, Javascript skimmers can be seen targeting many popular platforms including Magento, WooCommerce, WordPress, BigCommerce, Shopify, and others.
3. Javascript skimmers can be the result of an attacker compromising your website...
Javascript skimmers are typically relatively small bits of Javascript that are added to a website. In many cases, an attacker will exploit a vulnerability in your website framework or platform, but rather than break in to steal data directly, the attacker will leave the Javascript skimmer behind, modifying one or a few of your website files with just a line or two of code to link to his malicious code. Thus, every user that visits your site not only views your intended content but also obtains and runs a copy of his malicious Javascript.
4. ...But are often the result of a software supply chain compromise
The vast majority of websites that are hit with Javascript skimmers are through third-party sites. Over two-thirds of websites include code from third-party sources - analytics tools, review sites, chat providers, shopping carts, loyalty services, open-source libraries, and utilities, etc. - it is a reality of the modern web application. But every third-party source introduces another vector for possible compromise by an attacker, who can use that as a way to inject his Javascript skimmer into your website. This is sometimes called a supply-chain attack as it can cascade like a real-world supply-chain attack. This is a great way for criminals to scale their attacks. For example, a compromise of the PrismWeb platform injected a Javascript skimmer in over 200 campus book and merchandise online stores in the US and Canada, and an attack on the e-commerce platform Volusion affected over 6600 websites.
5. Javascript skimmers can affect both mobile and desktop/laptop users
Given the emphasis on Javascript, one might be tempted to think that the main target is desktop and laptop users with a full web browser. Not so - mobile users can be equally affected. Certainly, if they are using mobile browsers, mobile users will be as affected as desktop/laptop users. Furthermore, many mobile apps are actually built as empty or partly empty shells that load the majority of the content from a website. So if the website is serving a Javascript skimmer to browsers, it will also serve that to the mobile app to run. Such was the case for example with the British Airways website when it was hit with a Javascript skimmer back in September 2018.
6. Javascript skimmers can be quite productive in a short period of time....
Some Javascript skimmers are only active for a relatively short period of time. Yet due to their scale - affecting every user who visits the site, often, as mentioned last week, including both mobile and desktop/laptop users - they can have a massive impact during that short period. One early example of this is the British Airways attack, which compromised the details of about 500,000 customer accounts in the roughly two weeks during which it was active in late August and early September 2018. Other sites are not as forthcoming in their victim count but one can speculate based on timing and expected traffic volume. Macy's was hit only for a week but it was on the cusp of the holiday shopping season in October 2019, for example.
7. ...But for many sites, Javascript skimmers can operate for weeks or months before being noticed.
In many, if not most cases, the business does not find the Javascript Skimmer through their own security monitoring or alerting. Rather the business is notified by a third party (customer, security researcher, payment processor, etc.) that there is a Javascript skimmer on the website. Because of this, sometimes skimmers can operate undetected for weeks or months collecting customer data. For example, claires.com suffered for at least two months. In general the smaller the business, the longer the Javascript skimmer will be able to operate before being detected. Trusted Knight routinely identifies small business websites that have had Javascript skimmers on them for many months or over a year.
8. Javascript skimmers will not be caught by traditional AV or even the most advanced endpoint security products...
In general, a business cannot rely on their users to have defenses in place to protect themselves from a Javascript skimmer threat. Firstly, in most cases, users will be consumers (shoppers, online banking customers, or other online customers) and will be using consumer devices with possibly no security in place or at best minimal security that may be months or years out of date. Secondly, traditional antivirus (AV) products focus on preventing infections by known malware, so maybe checking for web file downloads but they do not monitor the content of web application code. In fact, even more, sophisticated endpoint security software is not well-suited to defend against Javascript skimmers. This is because fundamentally the linkage to the malicious Javascript code is coming from the same source as legitimate Javascript code: the website or its trusted third parties. This makes it challenging for the endpoint security software to know what is malicious and what is part of the actual web application, beyond looking for a few known-bad signatures or indications of compromise (IOCs).
9. ...and Javascript skimmers use evasion techniques to avoid detection.
If you cannot rely upon your users to defend themselves (and why would you want to put that onus on them anyway? These are your customers after all.) can you detect these skimmers yourself? Turns out it is not so simple due to the evasion techniques they frequently employ. In the first place, the code is usually obfuscated, sometimes highly obfuscated. In one case Trusted Knight's research team found a sample that required multiple decodes and included purposely dead code to mislead. Also, where information may be seen by an observer, such as a domain receiving exfiltrated data, care is taken to use innocent-sounding domain names. For example, with the claires.com compromise the criminals used claires-assets[dot]com. Other more generic examples include livechatcdn[dot]com, font-assets[dot]com, and apistatus[dot]com. As they have been subjected to more analysis, Javascript skimmer authors have also adopted some of the techniques of their endpoint malware counterparts, such as trying to detect whether or not a JavaScript debugger is currently running, or removing themselves from the HTML code of the infected site after executing successfully.
10. Javascript skimmer attacks have grown from a novel attack into a business in just a few years.
As is frequently the case, Javascript skimmer authors realized it was better to sell shovels rather than mine for gold themselves. Thus, similar to form-grabbing keyloggers, ransomware, phishing, and other attacks that became easier to monetize as the techniques matured and the target space opened up, turn-key Javascript skimmer kits have begun to appear. For as little as $5K one can purchase a skimmer, with full support on getting it working on a vulnerable site. Skimmers can also be rented as a kind of Javascript-skimmer-as-a-service, where the revenue is shared with the service provider. While monitoring and combating this threat Trusted Knight's research team has observed a transition from a couple of organizations with fairly large workforces to a more distributed number of unaffiliated operators, all within just a couple of years.
So how can organizations protect themselves? There are a number of best practices that will help, such as using a web application firewall (WAF) and performing regular security testing of your web application to ensure your main website is less vulnerable to compromise and direct injection and staying current on all software patches for your web platform and third-party components and services. Trusted Knight's Protector Air includes a two-pronged approach to defending against Javascript skimmers:
- Protector Air will monitor for and can actively block known-bad Javascript skimmers, preventing them from stealing your customers' data
- Protector Air will also monitor the third-party services of your website, and alert you on any anomalies, such as new sources of Javascript.