JavaScript skimmers: An evolving and dangerous threat

JavaScript is a key and oft-used technology for web developers in the creation of interactive web pages, but its ubiquity has not gone unnoticed by cyber criminals looking to weaponise the programming language against organisations.

In fact, the language is key to the fabric of the online world, with it being used client-side by 95% of all websites. A unique attribute of JavaScript exploits – mechanisms for the illicit and unintended use of the technology – is that they occur beyond the realm of the corporate network and, therefore, outside the parameters of traditional security controls.

Savvy cyber criminals operate within this blind spot to compromise users while going unnoticed for weeks or months. 

One area particularly vulnerable to these threats is in the vast and lucrative world of e-commerce. Cyber criminals plant webform-skimmers deep inside an organisation’s JavaScript to intercept customer credit cards details in dragnets across the web.

Massive and very high-profile breaches have brought JavaScript threats into the public consciousness, perhaps the biggest of which being the 2018 breach of the UK’s national flag carrier, British Airways (BA). The hack of the fortune-500 company resulted in the exfiltration in half a million credit card numbers, shattering public trust. To add to the airline’s woes, the Information Commissioners Office (ICO) announced its intention to fine BA £189.39m for the breach of its customers’ data.

The dawn of the 2020s has heralded evolutions in JavaScript threats, as ever-innovative cyber criminals develop new means through which to victimise organisations and consumers. At the forefront of this activity is Magecart – a shadowy online criminal syndicate comprised of dozens of subgroups that specialise in credit card theft through skimming online payment forms.

Magecart breaches are now detected hourly and cyber security companies have observed millions of instances of skimmers being used across the net. Attacks from the syndicate range from amateur to highly sophisticated actors pushing the boundaries of what Magecart can achieve. As time progresses, Magecart attacks are, as a rule, becoming more advanced.

Magecart operatives will carefully study the e-commerce platforms of large organisations to gain insight into their inner workings and hidden vulnerabilities.

The modus operandi is to develop custom-built skimmers in line with a targeted website’s appearance and functionality; this allows for the seamless interception of credit card data and other types of information usually off-limits to skimmers. For example, Magecart will skim information typed into online shopping profiles, in which customers save names and shipping addresses.

This enables Magecart actors to combine skimmed PII [personally identifiable information] with its corresponding financial data to create “fullz”, packages of highly valuable data to be sold on the black market. Like castles, websites will always have vulnerabilities and strongpoints; attackers simply need time to study their targets and identify where the vulnerabilities are.

Other Magecart groups have focused on third party web service organisations, whose widgets are used widely in the websites of well-known and visited brands. By compromising one of these services they effective compromise all sites that make use of that service. 

As sharks are drawn to blood in the water, criminal groups will be attracted to ecosystems proven to be lucrative. For example, Magecart 4 – which previously specialised in banking malware – has turned instead to skimming attacks. This results in a concentration of talented cyber criminals drawn to this threat vector and focusing on the advancement of skimming. It no longer matters what method of online payment organisations choose to employ; given enough time, cyber criminals will find its vulnerability.