There is a projected $123B in online purchases this holiday season, according to commerce site shopify.com. Millions of online transactions will occur between now and December 25th. How secure do you feel entering your credit or debit cards into the payment portals? We all get a sense of security with the HTTPS and the “secure transaction” wording in the check out carts, but does that offer 100% protection to the consumer.
Figure 1: Code snippet of legitimate Google Analytics on a compromised machine.
Figure 2: Malicious code snippet impersonating Google Analytics on the compromised machine.
The domain “g-analytics[.]com” was registered at NameCheap on the 31st of May, 2018. The domain tries to impersonate the domain used by Google for serving Google Analytics (google-analytics[.]com). If a visitor navigates to the g-analytics[.]com site, he/she is redirected to the real Google Analytics site, making the domain appear more legitimate. The response header from the server is shown below:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 19 Nov 2018 10:55:59 GMT
Content-Type: text/html; charset=UTF-8
|Version||Last Modified Timestamp|
|1.0.1||Sat, 23 Jun 2018 02:47:00 GMT|
|1.0.3||Wed, 27 Jun 2018 04:25:33 GMT|
|1.0.4||Wed, 27 Jun 2018 11:06:48 GMT|
|1.0.5||Thu, 28 Jun 2018 17:25:25 GMT|
|1.0.6||Thu, 28 Jun 2018 15:11:47 GMT|
|1.0.7||Thu, 28 Jun 2018 16:03:46 GMT|
|1.0.8||Tue, 02 Oct 2018 13:59:59 GMT|
|1.0.9||Mon, 02 Jul 2018 06:51:07 GMT|
|1.0.10||Thu, 05 Jul 2018 05:29:44 GMT|
|1.0.11||Wed, 04 Jul 2018 15:41:58 GMT|
|1.0.12||Thu, 05 Jul 2018 07:43:21 GMT|
|1.0.13||Sat, 07 Jul 2018 12:27:40 GMT|
|1.0.14||Sat, 07 Jul 2018 03:58:37 GMT|
|1.0.15||Tue, 10 Jul 2018 09:44:23 GMT|
|1.0.16||Sat, 03 Nov 2018 16:00:19 GMT|
|1.0.17||Mon, 05 Nov 2018 11:02:11 GMT|
|1.0.18||Tue, 06 Nov 2018 14:30:54 GMT|
|1.0.19||Wed, 07 Nov 2018 13:02:37 GMT|
|1.0.20||Thu, 08 Nov 2018 04:23:06 GMT|
|1.0.21||Tue, 13 Nov 2018 14:14:21 GMT|
|1.0.22||Tue, 13 Nov 2018 14:05:59 GMT|
|1.0.23||Tue, 13 Nov 2018 14:04:30 GMT|
|1.0.24||Tue, 13 Nov 2018 13:35:32 GM|
Table 1: Versions of analytic.js and their last modified timestamp is given by the server.
The file is obfuscated by taking out all strings, and some function names and placing them inside an obfuscated string. The string is copied into a character array and subject to a number of decoding operations which dumps out a string array, as shown in Figure 3.
Figure 3: String array deobfuscation.
The script grabs the URL and uses a regular expression test to ensure the page is either a login page or purchase related page by matching the pattern below. Figure 4 shows the check in the code.
Figure 4: Regular expression check.
If this test returns true, it uses the function “document.querySelectorAll()” in a loop to grab all the elements that are under the following selectors: input, select, textarea, checkbox.
It checks to see if there is any value input into the field. If a value is there, it grabs the “name” HTML attribute of the element. If there is no name attribute, the script will retrieve the count number of the loop that it is currently in to use as the name. This name is used to append to the end of a string in the following format:
param_string += [element_name] + ‘=‘ + [element_value] + “&”
The script will also save the value using HTML5 local storage, as shown in Figure 5.
Figure 5: Storing the value of all completed fields.
It checks the local storage to see if it was able to obtain a field named “gaudid”. This is a unique identifier for the client that is shopping on the compromised website. If there is no ID number it will generate a unique ID for the victim, as shown in Figure 6.
Figure 6: Unique ID check and generation.
The script then specifically looks for a local storage variable called “infoResult”. If found it will be prepended to the start of the exfiltrated data. The script begins to create its asynchronous HTTP POST request. It creates a regular expression with the following pattern to test for card numbers:
If the test returns true, it sets a flag in the exfiltrated data. The data is then encrypted and encoded with Base64. It is placed in the post data after the field “track”, as shown in Figure 7.
Figure 7: Exfiltration of collected data to the C2.
An example of scraped data before encryption is shown in Figure 8.
Figure 8: Fetched fields before encryption.
The POST request attempts to mimic the style of legitimate Google Analytics’s URL query parameters and request path. The similar request path can be seen in Figure 9. Also shown is the legitimate Google Analytics request. Note the difference in the method used and the protocol.
Figure 9: Network requests showing both legitimate and fake Google Analytics requests.
The domain “jquery-js[.]com” was registered on NameCheap on the 2nd of January, 2017. It similar to g-analytics[.]com in the way that it is impersonating a legitimate site. Users browsing to the site are redirected to the legitimate site for jquery as can be seen below.
HTTP/1.1 302 Moved Temporarily
Date: Tue, 20 Nov 2018 09:57:45 GMT
Content-Type: text/html; charset=UTF-8
Figure 10: Malicious file with comment block mimicking jQuery.
Figure 11: Second decoding script.
This script decodes and evaluates another string, which is the final malicious script, that performs skimming of shopper details. The malicious script and its deobfuscated version are shown in Figures 12 & 13.
Figure 12: Malicious skimming script.
Figure 13: Deobfuscated version of the script.
The script acts much in the same way as “analytics.js”. It will check that the user is on a payment page and scrape all values filled into input elements in the form. The data is sent to the C2 server over asynchronous HTTP POST in plaintext.
If you have bought something from these sites, consider canceling your credit or bank card and request a new issued from your credit card company and carefully monitor your transactions list for potentially malicious activity. Paying via a trusted third-party application, such as Apple/Google Pay, PayPal, Visa Checkout, can reduce the likelihood of your banking and payment information being stolen with this malicious script. Making payments through a third-party portal reduces the likelihood of inputted card details being scraped from the form of the compromised site.
1Yonothan Klijnsma and Jordan Herman, “Inside and Beyond Ticketmaster: The Many Breaches of Magecart,” RiskIQ, accessed November 19, 2018, published July 9, 2018, https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/.
2Yonathan Klijnsma, “Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims,” RiskIQ, accessed November 19, 2018, published September 11, 2018, https://www.riskiq.com/blog/labs/magecart-british-airways-breach/.
3Yonathan Klijnsma, “Another Victim of the Magecart Assault Emerges, Newegg,” RiskIQ, accessed November 19, 2018, published September 19, 2018, https://www.riskiq.com/blog/labs/magecart-newegg/.