Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

Surge in JavaScript Sniffing Attacks Continues

Forbes Subscription Site, Picreel and CloudCMS All Hit This Week
Surge in JavaScript Sniffing Attacks Continues

The magazine subscription page for Forbes magazine and two web service platforms were hit with separate skimming attacks this week, security researchers say. Attackers are increasingly using JavaScript sniffing to steal credit card and other personal data.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In addition to the Forbes magazine subscription site, Picreel, an analytics provider that records customer behavior on websites, and CloudCMS, an enterprise-grade content management system used by companies to host content, were hit by skimmer attacks. The attacks against Picreel and Cloud CMS apparently were the work of Magecart, an umbrella group that has been increasingly active over the last year in targeting e-commerce sites to syphon off customer data, according to RiskIQ, a security firm that has been tracking these incidents over the past several months and conducted an analysis of these incidents.

What made Picreel and CloudCMS especially attractive targets for these JavaScript sniffing attacks is that they supply services to other websites, which potentially increases the amount of victims the attackers can reach, according to RiskIQ.

JavaScript sniffing - or JS sniffing - tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer or skimmer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods.

The result is a hard-to-detect attack that is effective at stealing data and also difficult to scrub from an infected website. That's why these schemes have increased over the last 12 to 18 months, says Yonathan Klijnsma, a threat researcher at RiskIQ.

"Skimming is lucrative and anything is a target," Klijnsma tells Information Security Media Group. "Sadly, there are many routes to get into a website. It could be a vulnerability, it could be credential reuse or it could be stolen credentials."

Skimmer Attacks on the Rise

Over the past years, Magecart has been at the center of a growing trend that has seen several major companies and their payments systems hit with these types of attacks, including ticket-selling giant Ticketmaster, U.K. airline British Airways as well as e-commerce site Newegg (see: Card-Skimming Malware Campaign Hits Dozens of Sites Daily).

More recently, Chinese IT firm Qihoo 360 Netlab found a skimmer campaign injecting malicious JavaScript into 105 e-commerce sites in an attempt to steal credit card and other information (see: New Skimmer Attack Steals Data From Over 100 E-Commerce Sites).

One reason for the increase is the malware used in these schemes is available for purchase for $250 to $5,000 on underground forums, according to an analysis by security firm Group-IB. Additionally, skimmers are customizable. The Magecart group is known to use one called MagentoName because it is designed to take advantage of vulnerabilities in older versions of the Magento content management system - one of the more popular content management systems available and a frequent target of these attacks.

Targeting Forbes Subscription Site

On Wednesday, Troy Mursch, an independent security researcher with Bad Packets Report, reported that the Forbes subscription site - - had been hit with a skimmer attack, although it's not clear if this particular incident is tied to Magecart. The site was offline for part of Wednesday, but by Thursday, it was back online.

A Forbes spokesperson tells ISMG that the incident did not involve the main website, which doesn't ask readers for credit card information. The company took the infected subscription site down immediately, and no personal information was compromised, the spokesperson adds.

Mursch told ISMG that his team first noticed the attack at about 12:30 a.m. EDT on Wednesday and had notified Forbes about it, but received no answer. By 10 a.m. EDT, that site had been taken offline; it was restored about four hours later with the malware removed.

While it's not clear when the attack started, Mursch noted that the Forbes subscription site had been targeted previously on May 12.

A deobfuscated version of the malicious code, posted on Pastebin, shows that attackers were after credit card numbers, first and last names, email address, postal codes and other data.

In his analysis, Mursch found that the attackers used a WebSocket protocol, a two-way communication channels over a single TCP connection, in an attempt to exfiltrate the credit card and other information to their domain. That domain is now shut down.

While this particular attack against the Forbes subscription website bears some of the hallmarks of a Magecart operations, Klijnsma of RiskIQ does not see a connection between this incident and one of the 12 different "families" that make up Magecart.

"The skimmer in itself didn't match an exact group," Klijnsma says. "It looked more like a manual job of stitching together some functionality from a simple skimmer and tying it in with the exact payment button used on the Forbes magazine website."

Picreel & CloudCMS

The skimming attacks against Picreel and CloudCMS were first noticed on Sunday by Dutch security researcher Willem de Groot, who has tracked Magecart.

The attackers first sought out the supply chain of these two platforms to inject the malicious code, security researchers say. In web-based supply-chain attacks, which compromise vendors that supply code that adds website functionality, this approach gives attackers access to many more victims because the malicious code is then integrated with thousands of sites.

In its analysis, RiskIQ specifically tied these two attacks to the main Magecart group. Unlike previous operations, however, the attackers made a mistake that limited the damage in the attack against Picreel.

"With some of the compromises, the top part of the skimmer contains broken JavaScript and contains invalid characters, which was a major mistake by the attackers because it prevented the script from executing in the browser, which means, from the attacker's perspective, it didn't work," Klijnsma says. "We don't see this happen often, but given the sheer volume of attacks that take place, mistakes are bound to happen."

Representatives for Picreel and CloudCMS told ZDNet, which first reported the story, that they are aware of the attack and were investigating the cause.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.