Just a decade ago, the world's Javascript was a nearly untapped wellspring of victims and cash for attackers, a new frontier for cybercrime that covered 95% of all websites on earth. It was ripe for the picking.
Because they execute in the victim's browser, Javascript threats were outside the corporate network and beyond the purview of traditional security controls. Realizing they were operating in a blind spot for security teams, innovative threat actors seized the opportunity and started picking apart the Javascript of websites worldwide.
E-commerce was particularly vulnerable to this onslaught, with web-skimmers intercepting consumer credit card numbers across a massive swath of websites. With the rise in the value of cryptocurrency, actors also went to work stealing users' CPUs to mine coins, stealthily placing their cryptominers in the Javascript of thousands of victimized websites.
Soon, entire underground economies grew around the spoils of Javascript threats, and the pool of threat actors grew. More novice threat actors took advantage of pre-packaged cryptominers and skimming tools and pre-hacked websites. At the same time, advanced attackers kept raising the bar for innovation by finding new ways to breach websites and maximize profits.
Eventually, mega breaches resulting from Magecart attacks, such as the hack of British Airways, brought Javascript threats to the public consciousness. The hack of a renowned Fortune Global-500 company and the subsequent exfiltration of thousands of customer records shattered consumer trust. It also drew the ire of the GDPR, which proposed a fine against the company of £183m, or 1.5% of British Airways' 2017 revenues.
Now, in 2020, we're entering a new chapter of JavaScript threats. Actors are as numerous, savvy, and sophisticated as ever, but are no longer operating in the shadows—we know they're there, and there's no excuse for organizations not to be prepared for what's next.
Just a few years ago, when you Googled 'Magecart,' there would be only a handful of results. Now, there are hundreds of thousands. With awareness on our side, this can be the decade we can take the fight to Javascript threats. Here's what to expect as Javascript threats enter the new decade.
Anything you type, Magecart will take
RiskIQ now detects several Magecart breaches hourly and has observed Magecart skimmers in the wild millions of times. Many of these attacks are amateurish, using crude tactics and pre-packaged tools to try to get a skimmer on any site and any webpage possible. However, there are also sophisticated actors pushing the boundaries of what Magecart can do, and these advanced attacks could very well become the new normal.
Rather than hoping one of their skimmers will reach a website, these skilled Magecart operatives will target large retailers specifically, studying the e-commerce platform carefully to understand it's vulnerabilities and interworkings. Their goal is to custom-build skimmers in line with the site's appearance and functionality so that it can stealthily intercept not only credit card data but also other types of information users type into parts of the site usually off-limits to skimmers. For example, skimming information typed into online shopping profiles, in which customers save names and shipping addresses, can enable Magecart actors to combine skimmed PII with its corresponding financial data to create "fullz," packages of data highly valuable on the black market.
There are a variety of ways to attack the functionality of a website, and operatives with the right insight and enough time will find them.
Magecart will attract threat actors from all over the threatscape
We often find criminal groups operating in one particular ecosystem dip their toe in another and experiment with new methods of monetizing. For example, in 2018, Magecart Group 4, who’s focus was banking malware, began performing card skimming attacks. We're now seeing skilled and experienced threat actors who have made a living in other areas, like phishing, enter the Javascript threat landscape and incorporate web-skimming into their attacks.
In our "Fullz House" report, we showed how a threat group crossed over from the phishing ecosystem into Magecart. Their objective was to add stolen credit card information to the PII they were already taking in a lucrative bid to produce and sell fullz.
Bringing an entirely new skill set to the online skimming game, this group spun up fake payment pages masquerading as legitimate financial institutions. They then redirected unwitting phishing victims to these skimmer-rigged pages to fill out their payment data. This new skimming-phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable to Magecart.
It doesn't matter how online transactions are structured nowadays, attackers can and will capture full packages of individuals' identifying and financial information.
When it's lucrative, cryptojacking will surge
There's been a recent decline in browser-based cryptojacking, i.e., secretly using someone's computing power to carry out the cryptomining task without permission. Due to the plummeting price of cryptocurrency, people abandoned their crypto-mining endeavors because the surging cost of mining it made the activity unviable.
However, with cryptocurrency prices creeping up, there is a good chance it will move past the breakeven point for currency miners, i.e., the point where it is once again profitable to run cryptojacking campaigns. With successful miners able to go undetected for months while embedded in a website's Javascript, cryptojacking an issue most site owners thought they were rid of, will likely to rear its head once again.
In 2017, Cyptojacking affected 500M users, and 2018, RiskIQ detected an average of 495 new hosts running cryptocurrency miners each week, with hundreds in the Alexa top-10,000. That pace can continue in 2020 and beyond.
Take on Javascript Threats in the new decade
Despite Javascript threats and browser-based attacks hitting the mainstream, many organizations have almost no visibility into their web-facing assets and the way their users interact with them. Because of this, browser-based threats have become a popular go-to method for threat actors to target organizations, their employees, and, perhaps most publicly, their customers. Visibility into your web-facing assets and understanding what users experience when interacting with them is vital.
RiskIQ’s worldwide network of web crawlers can continuously interact with an organization's critical websites, detecting changes in the JavaScript that is rendered in the user’s browser along with behavior that could indicate malicious intent. In this regard, RiskIQ web crawlers act as the first victim, allowing the compromised assets to be identified and remediated quickly.
