A popular e-commerce site in Kuwait, running an outdated version of Magento (2.4), has been compromised by a malicious JavaScript injection, exposing customer payment data. The vulnerability, likely linked to the CosmicString bug in Magento, has been patched, but sites not updated remain at risk.
Unlike other impacted sites, Shrwaa[.]com is being exploited as infrastructure for additional attacks. A URL scan shows numerous sites referencing Shrwaa[.]com, which hosts multiple malicious JavaScript files:
Since this domain is currently not being flagged by threat feeds (a big issue when it comes to client-side attacks), the attackers use it as infrastructure and to speed up the process of infecting more sites.
One file called jquery.js is only loosely obfuscated, giving us insight into how the injection works. This file creates a simple HTML page that tricks users into entering their payment details. These fake pages overlay the legitimate payment forms:
Since no 3rd party script monitoring and security practice is in place, this attack remains active, and likely has been active since December of 2023.
Attacks remain common on the Magento platform. These are known as Magecart attacks, and some of the largest incidents have involved similar tactics. (LINK)
If Shrwaa[.]com had c/side in place, it would have blocked the malicious code and alerted the site to remove it. We have notified them and other sites of the attack.
You can protect your website for free by creating a c/side account.