JavaScript Fraud: More Than Just Magecart and Skimming

The global pandemic has driven a sharp rise in online traffic that provides fertile ground for attackers to execute a growing number of more sophisticated client-side attacks. For example, Magecart-style attacks are used to steal sensitive information by skimming data either through a first-party JavaScript, or through a third-party (aka the supply chain).

Accessing Personally Identifiable Information (PII) isn’t the only target of bad actors who exploit vulnerabilities on the client-side. Some recent cases provide interesting insight into how it can also be abused to perform an assortment of fraudulent activities while “leeching” on to website visitors, using these visitors to perform certain actions completely undetected.

We refer to this kind of behavior as JavaScript Leeching and define it as injecting JavaScript into a specific website to exploit incoming traffic. This is done by using visitors’ machines to perform miscellaneous actions in the background, usually unknowingly to the visitors, to make a profit. The following are two recent real-world examples of JavaScript Leeching:

  1. Fake traffic generation and ad-fraud: Imperva’s Threat Research Labs uncovered a full-fledged ad-fraud operation exploiting the client-side to sell traffic. The team discovered a Chrome extension that has been exploited and used for conducting a large scale ad-fraud in which scammers were selling traffic to specific websites. By injecting the malicious JavaScript into the target domain (ideally a site with a high volume of traffic), the extension was able to “leech” onto that domain’s visitors and generate traffic to websites paying for their “services”. The team identified a set of domains () with traffic coming only from Chrome clients, while regular traffic to the web server itself was generated by multiple clients and IPs. This behavior led to the discovery of the extension that was injecting the malicious JavaScript. Some detected malicious links are: https:// sfops[.]ru, https:// traot[.]ru, and https:// tropif[.]ru.
  2. Cryptojacking: In a fascinating recent article by Troy Hunt, he tells the story of the Coinhive domain, whose owners used their visitors to harvest Monero coin without them even knowing. Essentially, their idea of monetizing their website instead of showing ads to their visitors, was using their CPU power to mine the cryptocurrency and make a profit. How did they achieve that? JavaScript, of course. They used a very simple in-browser JavaScript cryptominer. And while it might not have been able to draw a lot of power from a single user, a little goes a long way when multiplied by the number of visitors. In fact, the company was able to earn an estimated $250,000 per month. The website is now owned by Troy and is no longer active.


This highlights a core issue with JavaScript: it is very easy to use and exploit by bad actors while difficult to detect and monitor for security teams.

A dangerous and easy to use tool

In the Coinhive case, it was the website owners who implemented the JavaScript. It would not be far-fetched to think bad actors could also exploit vulnerable websites by injecting JavaScript into them. In his article, Troy explains just how easy it is. This highlights a core issue with JavaScript: it is very easy to use and exploit by bad actors while difficult to detect and monitor for security teams.

The challenges of third-party services

For security teams, handling the threats posed by the client-side can be quite intricate and taxing. Today, there are dozens of third-party services running on websites that are executing on the client-side. Most security organizations end up having a blind spot to the services they are supposed to protect. This isn’t an easy task, as the security team usually isn’t part of the development cycle. Using HTTP Content-Security-Policy headers is another workaround, although these are extremely difficult to implement and maintain across the organization without additional helpful tooling.

Client-side protection stops malicious JavaScript executing on your website

Imperva’s Client-Side Protection provides security teams with visibility into JavaScript services executing on your website at any given moment. It automatically scans for existing and newly added services, eliminating the risk of them being a blind-spot for security. Imperva handles the difficult part of Content-Security-Policy for your organization, making it a viable part of mitigation. The domain risk score adds a credibility rating for each service, making it easier for security to determine the nature of each service, and determine whether it should be allowed to run or not. Simplified actions let you allow approved domains while blocking unapproved ones. Client-Side Protection ensures your customers’ sensitive information doesn’t end up being transferred to unauthorized locations and that no fraudsters are exploiting your visitors.

Client-Side Protection is a part of Imperva’s Application Security Suite. Start your Application Security free trial today.

The post JavaScript Fraud: More Than Just Magecart and Skimming appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Erez Hasson. Read the original post at: