Recently, we read of a new significant cyberattack campaign that targeted hundreds of online stores, exploiting vulnerabilities in third-party scripts and plugins.
This is a perfect example of a ‘digital skimmer’.
Digital skimmers are snippets of code maliciously injected into legitimate websites. They target personal and credit card information.
This problem is on the rise and is part of the reason c/side was created. Our proxy is able to detect this malicious code and prevent it from affecting users on websites.
This code is loaded on the client side (the browser) of the user instead of on the website’s server. This makes it especially difficult to detect since most websites don’t have a tool like c/side in place to protect the client-side experience of their users.
Most of our competitors check this code after it’s loaded in the browser of the user, not preventing this attack but simply alerting the facilitating website. We load all scripts first in a proxy, and after it’s deemed safe, will serve it to the user. We also optimize scripts where possible, to serve them faster than a Content Delivery Network (CDN), mitigating any latency issues. In fact, often increasing the delivery speed of these scripts.
What happened in this attack
This attack was disclosed by MalwareBytes, and was up until now the most recent of a series of attacks executed on ecommerce sites using Magento.
We didn’t report on this since none of our users currently run Magento.
In other news, we recently noticed that Malwarebytes(.)fr was set up as a domain sale page, with an IP logger. This was then sending those to a Discord webhook. It was quickly deleted or banned from Discord. Read here why expired domains can be a massive problem and are often used in these types of attacks.
Here’s evidence of that webhook:
Back to the story.
A web supply chain attack like this happens because attacks breach Magento (or a plugin in Magento) and simply insert one line of JavaScript remotely. In most of these, and indeed in this most recent one, the attackers alter a legitimate script to remain undetected for as long as possible.
The code is also obfuscated to make it even harder to understand exactly what they’re executing. This is a legitimate way of protecting code, and companies use this all the time to protect their code from being copied or tampered with.
From there, the attack is quite simple. The code loads a function that retrieves information from that site that’s being inserted and submitted into all kinds of forms. The domain inside the malicious code, then receives it and the attacks now have that information.
In this attack, they were targeting credit card information from unsuspecting people making purchases online. There’s very little those people can do, but the websites the attack is happening on are liable and often receive fines from PCI DSS and sometimes lawsuits.
In this case, the payment flow was interrupted during checkout. A fake payment methods frame was inserted and people completed this form instead of the real one. This was done through a simple image tag fitted inside of a singular JavaScript line.
This would look like: {domain}.{shop|online)/img/
Malicious domains to be found in these attacks thus far include:
- codcraft(.)shop
- codemingle(.)shop
- datawiz(.)shop
- deslgnpro(.)shop
- happywave(.)shop
- luckipath(.)shop
- pixelsmith(.)shop
- salesguru(.)online
- statlstic(.)shop
- statmaster(.)shop
- trendset(.)website
- vodog(.)shop
- artvislon(.)shop
- statistall(.)com
- analytlx(.)shop
This is yet another in a series of attacks that underlines the immediate need for companies to secure the client-side experience of their users. By sites installing a tool like c/side, their users would’ve been protected.
Regulation is here
By March 2025, PCI DSS 4.0 requires websites that have online checkouts to monitor third-party scripts on their payment pages.
We advocate to not only monitor, but also secure these scripts to be completely safe. We wrote here about the risk of only securing payment pages and not the entire website. Attackers will simply adapt and with a quick turnaround, and attacks are likely to still occur.
Know that by using c/side, the entirety of your website is protected.
You can get started for free and be secure in minutes.