JS Sniffer exploited

JS Sniffer exploited in multiple attacks for e-commerce data theft

Target: e-commerce financial framework Magento, OpenCart, Dealer.com, Shopify, WordPress and others
Attack Vector: JS Sniffer injection into legitimate JavaScript for websites
Summary: Researchers have been tracking a new e-commerce financial data theft framework since 2017. JS Sniffer has been mainly leveraged against Magento, an open source e-commerce platform, but has also been observed attacking OpenCart, Dealer.com, Shopify, WordPress and others.
JS Sniffer has been observed being sewn into legitimate JavaScript written for websites to make it look legitimate and to avoid detection, the domain is then obfuscated to make the code even stealthier. JS Sniffer has also been delivered from a lookalike website controlled by an external attacker. In the sample case, researchers observed the domain and code leveraged disguising itself as related to Google Analytics. The user is tricked into clicking on a link in the website, which then executes ga.js from a server controlled by the attacker.
JS Sniffer has been developed as a data scraping tool which sucks up vast amounts of credentials, passwords, financial details and other personal data from its victims. It sits quietly in the background on legitimate websites making many victims unaware that as they enter details for a legitimate transaction, their details are being harvested by cyber-criminal gangs.
Multiple attackers have been targeting companies that operate large scale, online e-commerce payment systems such as ticketing websites and modifying JavaScript to send card details to the attackers. This behind the lines activity has created a loophole as companies who have already invested heavily in cybersecurity, policies, encryption and follow PCI standards, find themselves being successfully targeted, as the breach of a single, third-party JavaScript library breaks the cyber security chain.
Analyst Comment: The threat is assessed as 3c MODERATE. If successfully deployed onto a company’s website or payment engine, JS Sniffer is an extremely effective stealer which could easily be leveraged by even entry-level cybercriminals. This raises the likelihood of infection as such stealers are widely available in underground forums. Although not a particularly advanced malware, JS Sniffer does disguise its presence inside normal JavaScript as an anti-detection technique, which also raises the likelihood of a successful infection attempt. The Impact of an infection on a company’s website or payment engine would be catastrophically brand damaging and would undermine and affect customer confidence.
In a similar incident on the 23rd June 2018, Ticketmaster UK admitted that malicious software had been injected into JavaScript hosted on one of its customer support products provided by a third party vendor, Inbenta Technologies. This allowed customer payment details and sensitive personal data to be stolen. In this instance, a number of umbrella companies were also affected, Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites. Ticketmaster reported that international customers who bought tickets between September 2017 and June 23, 2018, were affected and as many as 40,000 UK-based customers who bought tickets between February 2018 and June 23, 2018, may also have been affected.