This might sound far fetched or the stuff of a bad streaming movie plot, but it does happen and recently Akamai’s security research team said they found some sites with this type of script running for a month before being identified. The campaign spans the US, UK, Australia, Brazil, Peru, and Estonia. The exact method the attackers are using to gain access to the site is unclear, but it could be via third party plug-ins on the site, or flaws in the ecommerce system in use by the site. Once in, the attackers then inject a JavaScript module that runs on the targeted site to capture and relay the card data.
Identifying and targeting exposed ecommerce sites is a good strategic move as they can leverage existing server and software infrastructure. They can also avoid reputational blocking or other detection features as the site is already trusted. You are not likely to see a hit on VirusTotal, URLVoid, or Alienvault’s OTX. The JavaScript itself is further hidden by building it to resemble Google Tag Manager or Facebook Pixel. The JavaScript is also obfuscated by Base64 Encoding just for good measure. Akamai indicated in their report that of the almost 10,000 sites identified in 2022 around 2,500 were still infected at the end of the year. This shows how easy this is to get in place and to be overlooked without a proper vulnerability management and remediation plan in place.
Site owners that are hosting their own internal ecommerce software should ensure they have additional protections on it for items such as hardening the admin login area (including the use of multi-factor authentication), plug-ins and site software should be checked for patches and updates to ensure there are no vulnerabilities left on the table. Consumers can protect themselves by using virtual cards, enabling purchase notifications and limits on spending (without authorization). Browser plug-ins that block unwanted scripts from running on websites can also help, but they might also be fooled by the formatting believing the script to be a normal Google or Facebook script. Happy shopping