What is a JavaScript Sniffer?
A JavaScript Sniffer (JS Sniffer) is a form of malware used as part of a client-side, cross-site scripting (XSS) attack. It injects malicious code into legitimate JavaScript, collecting sensitive data during user input. The malicious code embedded into the legitimate code is difficult to detect because it may be as short as 20 lines.
JS Sniffer variants are called families. Some examples of families include:
- Universal: Targets different types of payment forms such as content of hardcoded HTML element lists.
- Content Management Systems (CMS): Targets specific payment forms by searching for fields in a CMS, like Magento, OpenCart, Shopify, WooCommerce, WordPress.
How does a JavaScript Sniffer work?
A sniffer is not always malicious. Sniffers are hardware or software that monitor network traffic by examining packets. In some cases, security teams may use a sniffer for network security. However, cybercriminals leverage the same JavaScript Sniffer tools as security teams to steal data and remain undetected.
JavaScript is a programming language used to implement dynamic website content features, like forms on a payment page. The problem is that JavaScript is an interpreted language, meaning that the targeted machine does not directly execute the instructions. This means that other programs, including those used by cybercriminals, can also read the language.
Since cybercriminals’ tools can read the JavaScript, they can insert malicious code into the website’s payment form. When users enter data into the form, the JavaScript Sniffer examines the packets, stealing the information.
Typically, an attack follow three basic steps:
- Gain access to the site: Cybercriminal can use compromised credentials, exploit vulnerabilities, or pay another group for access.
- Install the sniffer: Cybercriminals can install it using a control panel or web shell or by adding it to a legitimate code library.
- Monetize stolen data: Cybercriminals either sell the data on the dark web or use it to fraudulently purchase items.
JavaScript Sniffer Infection Rates
Since JS Sniffers are difficult to detect and infection rates may be under-reported. However, 2019 industry research from Group-IB noted:
- 2,440: Number of online stores accepting bank cards infected
- 3,000: Number of people impacted per day by Illum, G-Analytics, and TokenMSN families
- 440,000: Number of people per day visiting sites infected with MagentoName and CoffeeMokko families
- 250,000: Number of people per day visiting sites infected with WebRank family
Who is targeted by JavaScript Sniffers?
JS Sniffers target any website or web application containing sensitive data, not just online stores. Any business, large or small, that uses JavaScript on the website page that captures sensitive personal information is at risk. For example organizations can experience a data breach from a JS Sniffer if the webpage collects the sensitive information such as:
- User names
- Passwords
- Payment data, like credit card information
- Sensitive personally identifiable information (PII), like protected health information (PHI)
In late 2021, the Lazarus threat group infected several e-commerce shops with a new JS Sniffer family called BTC Charger. This new JS sniffer family is designed to steal cryptocurrency from online shoppers, indicating new attack methods.
Traditionally, people viewed JS Sniffers as a security risk for the e-commerce sector. However, as more organizations and industries began accepting credit card payments online, this type of malware can place them at risk, too.
Some industries most at risk are:
- Financial Services & Banking
- Healthcare & Medical
- Ecommerce & Retail
- Travel & Hospitality
- SaaS and Technology
- Communication, Social Media, & Content Producers
- Cryptocurrency Exchanges & Blockchain
Other industries also affected by these types of attacks include:
- Real Estate
- Technology & Cybersecurity
- Distribution & Transportation
- Education
- Entertainment
- Manufacturing
- Energy
- Distribution & Transportation
Who is impacted by JavaScript Sniffers and what is the impact?
Since so many websites use JavaScript, JS Sniffers can impact anyone. The main difference is how they impact the person or business.
Users/Customers
JavaScript Sniffers target nonpublic personal information (NPI) that can be sold on the dark web. With monetary gain as the end goal, customers are often the first group impacted by the incident.
Some impacts include:
- Compromised data
- Direct financial loss
- Identity theft/fraud
Victim Organization
JS Sniffer attacks also impact the targeted organization. The loss of customer PII can lead to:
- Reputational damage
- Customer churn
- Loss of revenue
- Compliance fines associated with failure to comply with regulations or standards, like those required by the Payment Card Industry Data Security Standard (PCI DSS)
- Legal costs, including lawyer fees and customer reimbursement
CMS or Payment Processing Platform
Many JS Sniffers focus on CSMs and payment systems instead of the organization itself.
The impact to these organizations includes:
- Reputation
- Customer churn
- Incident response and recovery costs
- Compliance fines
- Legal fees
Acquiring and Issuing Banks
Finally, the banks themselves sit furthest from the location of the data breach but still feel the ripple effect.
The acquiring bank is the financial institution that credits merchants. The issuing bank is the financial institution that debits the customer’s account. While an acquiring bank may be a payment processor, this isn’t always the case.
In response to a JS Sniffer attack, the acquiring and issuing banks face losses arising from:
- Brand abuse
- Customer churn
- Responding to fraud
- Legal fees
Who uses JavaScript Sniffers?
Most often, cybercriminals using JS Sniffers are financially motivated. They tend to treat the attacks like a business, similar to current ransomware models. This leads to two different groups of threat actors.
Develop a New JS Sniffer
Some threat actors choose to develop their own malicious code. However, this is a time-intensive, costly process. Often, the cost of developing new code reduces the cybercriminal’s financial gain.
JavaScript-Sniffer-as-a-Service (JSaaS)
More often, cybercriminals purchase the malicious code according to a software-as-a-service (SaaS) model. They either pay for a subscription upfront or pay a percentage of the money they make from the attack. A JavaScript Sniffer may cost anywhere from $250 to $5,000.
This JSaaS model makes deploying the attacks more cost-effective, leading to more attacks. Unfortunately, this also makes it more difficult to know how many cybercriminals are using any given family or who developed the malware in the first place.
JavaScript Sniffer: Methods of Infection
Cybercriminals insert malicious JavaScript Sniffer code in two ways:
- Directly on site
- Through third-party service
Injected Into Site Code
To directly inject code into the site, the cybercriminals usually:
- Deploy a credential based attack: Using a brute force attack or compromised administrative password, they access the website console so they can insert the JavaScript.
- Exploit known or unknown vulnerabilities: Cybercriminals gain access to the CMS by finding an unpatched vulnerability then insert the malicious code.
Third-Party Service Provider
Many websites use third-party services, such as chatbots or analytics. Leveraging a third-party service provider vulnerability gives the cybercriminals access to the website, enabling them to insert the code.
JavaScript Sniffers & Software Supply Chain Attacks
Cybercriminals also target the software supply chain. This is almost like a combination of a direct injection and a third-party service provider methodology.
The cybercriminals gain access to a JavaScript code library and insert their malicious code. This then spreads the malware to any application or website using the code repository. With the code embedded in the website through what developers thought to be a legitimate library, the JavaScript Sniffer evades detection.
This then leads to the business supply chain impact across customers, businesses, platforms, acquiring banks, and issuing banks.
What does JavaScript Sniffer architecture look like?
A JavaScript Sniffer has two parts:
- Client-Side: Initial data collection using lists of hard-coded names, regular expressions for defining fields, or basic HTML elements.
- Server-Side: Sends the compromised data to the cybercriminal.
How to Defend & Protect Against JavaScript Sniffer Attacks
Reducing the client-side attack surface and securing the software development lifecycle (SDLC) help protect against JS Sniffer attacks.
Some best practices include:
- Shifting security left with DevSecOps to build security into the development phase.
- Maintaining safe JavaScript libraries reviewing for blocklisted external libraries, regularly patching/updating current libraries, and minimizing third-party JavaScript library dependencies.
- Using automated code testing tools like Feroot Security Inspector.
- Scanning for unauthorized scripts and anomalous code behavior with automation like PageGuard.
- Implementing, monitoring, managing, and optimizing Content Security Policies (CSPs) to define website communications using technologies like DomainGuard.
- Monitoring the attack surface for known and unknown vulnerabilities and threats.
- Testing code copied from external libraries to reduce risk.
- Monitoring SaaS applications to detect malicious code.
- Using Subresource Integrity (SRI) automation for visibility into anomalies or changes.
- Enforcing security policies and restrictions.
- Installing Web Application Firewalls to analyze web traffic at the application layer.
