You may have heard of credit/debit card skimmers. They’re small and subtle physical devices overlaid on shops’ payment terminals to funnel your financial information and send it off to a server controlled by the attacker who managed to install the skimmer. A Javascript sniffer is the online payment system equivalent (think online shopping cart) of card skimmers. It’s just that they steal your financial information from virtual payment systems rather than physical ones. In this post, we take an in-depth look at how Javascript sniffers work and what you can do to avoid falling victim to an attack.
Formjacking is a very similar type of attack, which also relies on malicious Javascript, but it is less targeted than Javascript sniffing attacks. Formjacking attacks target any information in any kind of online form. Javascript sniffing attacks specifically target online payment systems.
What is a Javascript sniffer?
As mentioned above, a Javascript sniffer is the online counterpart of card skimmers. In a Javascript sniffing attack, the attacker injects lines of codes (a script) on a website, which then extracts the personal data input by users in online forms, typically online store payment forms. The targeted user data includes credit card numbers, names, addresses, passwords, and phone numbers. Not only that, Javascript sniffers can even be purchased on underground forums or the dark web for anywhere between $250 and $5,000.
Javascript sniffing attacks first came to light around 2016. But they really hit the limelight in 2018 when many high-profile sites were successfully targeted.
Initially, Javascript sniffers were designed to target the Magento CMS platform, an open-source e-commerce platform used by over 250,000 e-commerce websites. Over time, different varieties (or families) of Javascript sniffers were developed, capable of compromising other e-commerce platforms, like OpenCart, Shopify, WooCommerce, and WordPress – which have all been successfully breached by Javascript sniffers. However, Magento remains the most popular target, with over 70% of Javascript sniffers designed to breach its platform.
Another thing to consider when looking at Javascript sniffing attacks is how the code is injected in the first place. If the attacker can’t inject their code, they can’t pull off the attack. The most common way malicious code is injected into websites is through cross-site scripting (XSS) attacks. So a big chunk of the defenses against Javascript sniffers will be directed toward preventing XSS attacks. Another popular attack vector is phishing attacks targeted at the website administrator to access the site’s control panel.
Javascript sniffers typical attack flow
Javascript sniffing attacks are quite straightforward once the attacker has injected their script. The typical attack flow looks something like this:
- The attacker injects their malicious code on a website’s checkout page. How they inject their malicious code can vary quite a bit. The point is to find a way to upload their code to the server. That would typically be through a cross-site scripting (XSS) attack, but it could be through any other type of code injection attack. It could also be through a phishing attack targeted at the website’s system administrator. That way, the attacker could presumably obtain the system administrator’s credentials and upload their script through the website’s control panel.
- A user makes a purchase on the website and enters their credit card details on the site’s checkout page. The attacker’s script copies that information and sends it to a server controlled by the attacker.
- The attacker can then use the funneled information for financial fraud or identity theft.
Javascript sniffer families
Javascript sniffers are classified into families. While there are many different Javascript sniffer families, the two main families are:
MageCart
MageCart is probably the most famous Javascript sniffer family. Its name is derived from the Magento content management system and its embedded e-commerce platform, used by hundreds of thousands of websites that provide online stores. MageCart has evolved over time and gained some interesting capabilities along the way. One of its tricks is to infect advertising banners that are displayed in web browsers. Once an unsuspecting user clicks the banner ad, the malicious MageCart code is downloaded to their machine.
MagentoName
The MagentoName JS sniffer family is one of the most common and successful Javascript sniffers. As you probably guessed, its name is also derived from the Magento content management system – a very popular payload. MagnetoName was initially crafted to only target the Magneto payment infrastructure but has since been adapted to target other back-end payment systems. That makes MagentoName one of the most potent Javascript sniffers out there.
G-Analytics
The G-Analytics family of Javascript sniffers works much like MagentoName insofar as it’s ultimately designed to steal your financial information for fraud or identity theft. However, it targets websites’ analytics collection services, like Google Analytics or the jQuery library. Once the malicious analytics script has been injected onto the server, it loads a second script that does the actual sniffing of unsuspecting users’ financial information.
Other Javascript sniffer families
While the above two are the most common Javascript sniffer families, there are many others. A report by security research firm IB Group lists 38 different Javascript sniffer families.
Other Javascript sniffer families include:
- GMO
- TokenLogin
- TokenMSN
- ImageID
- PreMage
- PHP backdoors
- GetBilling
- WebRank
- PostEval
- Illum
- FakeCDN
- CoffeMokko
- ReactGet
- Qoogle
While each of these Javascript sniffers may target different parts of a website’s infrastructure, they are all designed to funnel information from the site’s payment system and send that information to the attacker.
Javascript sniffing attack examples
Ticketmaster
On June 27, 2018, Ticketmaster announced it had been compromised and suffered a data breach, exposing customer information. The customer information that had been stolen was payment information. Ticketmaster had fallen victim to a Javascript sniffing attack.
However, it wasn’t Ticketmaster directly that was breached. Instead, it was one of its third-party suppliers for its website, Inbenta. Not only that, but Ticketmaster wasn’t alone: it and over 800 e-commerce sites worldwide were victims of an extensive digital credit card skimming campaign. As Ticketmaster downloaded its third-party resources, it also downloaded the Javascript sniffer and became “infected.” Over 40,000 Ticketmaster users were affected by this breach.
British Airways
On September 6, 2018, British Airways publicly announced that it had fallen victim to a breach that led to the theft of customer data. It stated that up to roughly 380,000 customers could have been affected and that the compromised information included financial information. The breach affected the payment system of both its main website and its mobile app between August 21 and September 5, 2018. British Airways was successfully attacked using the Magecart Javascript sniffer. That resulted in over 380,000 credit card numbers being compromised.
How to defend against Javascript sniffing attacks?
Because there’s a good chance that your attacker would inject their code using a cross-site scripting attack (XSS), protecting against XXS attacks is the first thing you should do. The points listed below should help. For more information on defending against XSS attacks, I recommend reading our dedicated article on the topic. Here is a high-level view of the recommendations:
Defending against cross-site scripting (XSS) attacks
- Don’t trust user input – You should treat all user input equally – don’t trust it – regardless of whether it comes from authenticated users, internal users, and public users.
- Set the HttpOnly flag – Setting the HttpOnly flag makes cookies inaccessible via client-side JavaScript.
- Use escaping/encoding – Use an escaping/encoding technique based on where the user input will be used, such as HTML escape, JavaScript escape, URL escape, etc. It’s also strongly recommended to use existing libraries for escaping rather than writing your own.
- Sanitize your HTML – Escaping/encoding user input that contains HTML will result in breaking valid tags. To work around this issue, use a trusted and verified library to parse and clean the HTML. Make sure you choose the appropriate library for your development language.
- Use a Content Security Policy – CSP is an HTTP response header that enables you to determine which dynamic resources are allowed to load based on the request’s source.
Defending against Javascript sniffing attacks
Hardening the website
- Use strong passwords – Make sure to use complex and unique passwords to access the website’s admin panel and any other administration services (phpMyAdmin, Adminer, etc.). If you can, also set up two-factor authentication.
- Update your software – Always update your software as soon as the updates are available, including your site’s CMS. Never use outdated or unsupported CMS versions. That will reduce the risk of your servers being compromised and make it more difficult for an attacker to inject malicious code.
- Scan your web store – Perform regular security audits of your web store using a vulnerability scanner. If your site uses the Magento CMS, you can use the Magento Security Scan Tool.
- Enable logging – Make sure your systems are configured to log any changes on the site, including the site’s control panel and databases. And make sure you’re able to track file change dates. That will help you detect any malicious code, infected files, and unauthorized access to the site.
Defending against phishing attacks
- Use a password manager with auto-fill – Password managers that support auto-fill need to keep track of the web pages for which they have been configured. If your auto-fill enabled password manager refuses to populate your password, double-check the web page you’re on. You may be the target of a phishing attack.
- Don’t open links/attachments in emails – Always verify emails that inchttps://www.comparitech.com/password-managers/lude links or attachments with the sender before clicking/opening them. If it comes from an online service or your bank, manually type the URL in your web browser yourself to make sure you’re on the actual legitimate website.
- Open suspicious documents in Google Drive – If you receive a suspicious document in an email, upload it to Google Drive rather than double-clicking it. That will convert the document into HTML and will very likely prevent it from installing malicious code on your device.
- Use a physical Two-Factor Authentication (2FA) key – It is highly recommended to configure your more sensitive accounts to use a 2FA key. When your accounts are configured in this way, after logging in normally (using your username and password), you insert the key into your device to provide the second layer in your two-factor authentication. One of the benefits of this approach is that if you end up on a phishing site, your 2FA key will know not to log you in.
Wrapping up
So we looked at what Javascript sniffers are, how they work and what can be done to defend against them. It’s always going to be a delicate balancing act between security and access when trying to harden the security of a website with which millions of external users interact. Hopefully, this article will help you better understand what you’re up against, and the tips it includes here will enable you to keep your site – and your users – safe.