Javascript eSkimming: A rising threat

Javascript is a key language for developers in creating interactive web applications.  As on of the most popular programming languages, it is used in 95% of websites, partially because of it’s ability to occur beyond the corporate network, and therefore outside traditional security controls. As a negative consequence hackers have started exploiting and weaponize the JS to steal sensitive information.

E-skimming

Some years ago the way criminals stole credentials was setting up cameras in the local ATM and that way hope to capture and steal credentials. Now the exact same thing is going on in the eCommerce world – thousands of websites is being scimmed for credentials , the “camera” being som lines of javascript inserted in the browser by the criminals. There are multiple ways the hackers can get in, mainly being

1) direct entrance ( exploiting bugs or non-updated software, trying password-username combinations)

2) getting in through 3-party distributors / partners.

Getting in through a 3-party partner has increased and is potentially very dangerous since big companies often have tiny 3-party partners that provide them software and therefore have acces to the admin website. Since the partners are tiny they don’t have the necessary protection and that way the hackers can easily get in. This new way of utilizing the Javascript is first detected in 2018 by RiskIQ. This is very dangerous and makes every eCommerce retailer a target and the threat is increasing with more hackergroups getting to know this method. Read more here or watch the head of threat department talk about the subject.

 

 

Use Case: Ticketmaster & British Airways

In June 2018 Ticketmaster were hit by a massive cyper attack. They got a £5 million fine for the data breach and up to 40.000 UK Ticketmaster customers were believed to have had some personal information stolen. (650 customers that directly stood up in court having their money stolen). The breach was not discovered by Ticketmaster for months and they discovered it only when banks started to speak out about money being stolen. Ticketmaster did not notice because everything in their system was up to date and there was no indicators of any attacks. Not until they found out that the attackers got in though a 3-party supplier known as Inbenta. Later RiskIQ announced that the attacks were done by a group named “Magecart”. (known by RiskIQ), and that the attack is a part of a wider campaign targeting 800 suppliers.  Read more

In august 2018 (a month later)  British Airways were targeted by the same group (Magecart), and it became one of the biggest breaches in modern history. Magecart set up a custom targeted infrastructure  to blend in with the British Airways website and got acces that way. The breach was open for 15 days and 380.000 customers got their card information stolen. The breach was skimming transactions on both pc’s and mobile devices. BA had a massive £183M fine for this, and the event caused a lot of distrust and negative speech, and caused them to lose ~ 50% market value over the next months.

Tip of the iceberg. 

These incidents had a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond those, and RiskIQ believes that there are much more to come. They’ve identified 800 victim sites , by that 100 top-tier victims. They get smarter every day and by utilizing 3-party suppliers they can  acces very big firms and in some cases instantly get acces to 10.000 victims. It’s spreading faster and wider than ever before. This list contains some of the firms that has been target by Magecart’s eSkimming (June 2018)

Codesealer Solution

Codesealer provides a unique product CONNECT that uses an end-to-end security strategy to protect firms against these kinds of attacks. The main purposes of CONNECT is

1) Protect and prevent Javascript from being manipulated on website

2) Detect js-injection

3) Detect eSkimming traces

With CONNECT firms are secured that even if a supplier have a breach, the firm websites and servers can’t be targeted.

 

 

Get in touch            Read more