Ted McKendall

In last week’s blog post we covered some more general information about Javascript skimmers, a threat to websites (or more accurately, website visitors) that has grown over the past few years. This week we shall cover some more details about this threat, as well as what Trusted Knight’s research team is currently seeing.

 

6. Javascript skimmers can be quite productive in a short period of time….

Some Javascript skimmers are only active for a relatively short period of time. Yet due to their scale – affecting every user who visits the site, often, as mentioned last week, including both mobile and desktop/laptop users – they can have a massive impact during that short period. One early example of this is the British Airways attack, which compromised details of about 500,000 customer accounts in the roughly two weeks during which it was active in late August and early September 2018. Other sites are not as forthcoming in their victim count but one can speculate based on timing and expected traffic volume. Macy’s was hit only for a week but it was on the cusp of the holiday shopping season in October 2019, for example.

 

7. …But for many sites, Javascript skimmers can operate for weeks or months before being noticed.

In many if not most cases, the business does not find the Javascript Skimmer through their own security monitoring or alerting. Rather the business is notified by a third-party (customer, security researcher, payment processor, etc.) that there is a Javascript skimmer on the website. Because of this, sometimes skimmers can operate undetected for weeks or months collecting customer data. For example claires.com suffered for at least two months. In general the smaller the business, the longer the Javascript skimmer will be able to operate before being detected. Trusted Knight routinely identifies small business websites that have had Javascript skimmers on them form many months or over a year.

 

8. Javascript skimmers will not be caught by traditional AV or even most advanced endpoint security products…

In general a business cannot rely on their users to have defenses in place to protect themselves from a Javascript skimmer threat. Firstly, in most cases users will be consumers (shoppers, online banking customers, or other online customers) and will be using consumer devices with possibly no security in place or at best minimal security that may be months or years out of date. Secondly, traditional antivirus (AV) products focus on preventing infections by known malware, so may be checking for web file downloads but they do not monitor the content of web application code. In fact, even more sophisticated endpoint security software is not well-suited to defend against Javascript skimmers. This is because fundamentally the linkage to the malicious Javascript code is coming from the same source as legitimate Javascript code: the website or its trusted third-parties. This makes it challenging for the endpoint security software to know what is malicious and what is part of the actual web application, beyond looking for a few known-bad signatures or indications of compromise (IOCs).

 

9. …and Javascript skimmers use evasion techniques to avoid detection.

If you cannot rely upon your users to defend themselves (and why would you want to put that onus on them anyway? These are your customers after all.) can you detect these skimmers yourself? Turns out it is not so simple due to the evasion techniques they frequently employ. In the first place, the code is usually obfuscated, sometimes highly obfuscated. In one case Trusted Knight’s research team found a sample that required multiple decodes and included purposely dead code to mislead. Also, where information may be seen by an observer, such as a domain receiving exfiltrated data, care is taken to use innocent sounding domain names. For example with the claires.com compromise the criminals used claires-assets[dot]com. Other more generic examples include livechatcdn[dot]com, font-assets[dot]com, and apistatus[dot]com. As they have been subjected to more analysis, Javascript skimmer authors have also adopted some of the techniques of their endpoint malware counterparts, such as trying to detect whether or not a JavaScript debugger is currently running, or removing themselves from the HTML code of the infected site after executing successfully.

 

10. Javascript skimmer attacks have grown from a novel attack into a business in just a few years.

As is frequently the case, Javascript skimmer authors realized it was better to sell shovels rather than mine for gold themselves. Thus, similar to form-grabbing keyloggers, ransomware, phishing, and other attacks that became easier to monetize as the techniques matured and the target space opened up, turn-key Javascript skimmer kits have begun to appear. For as little as $5K one can purchase a skimmer, with full support on getting it working on a vulnerable site. Skimmers can also be rented as a kind of Javascript-skimmer-as-a-service, where the revenue is shared with the service provider. While monitoring and combating this threat Trusted Knight’s research team has observed a transition from a couple of organizations with fairly large workforces to a more distributed number of unaffiliated operators, all within just a couple of years.

So how can organizations protect themselves? There are a number of best practices that will help, such as using a web application firewall (WAF) and perform regular security testing of your web application to ensure your main website is less vulnerable to compromise and direct injection, and staying current on all software patches for your web platform and third-party components and services. Trusted Knight’s Protector Air includes a two-pronged approach to defending against Javascript skimmers:

1. Protector Air will monitor for and can actively block known-bad Javascript skimmers, preventing them from stealing your customers’ data

2. Protector Air will also monitor your third-party services of your website, and alert on any anomalies, such as new sources of Javascript.

 

Contact us today to find out more

blog-post-logo