What Is a Malicious Script?
Malicious scripts are fragments of code that have been modified by threat actors for nefarious purposes. Cyber threat actors hide them in legitimate websites, third-party scripts, and other places to compromise the security of client-side web applications and webpages. Malicious scripts most often target customers and users of web applications or websites, since users have no way of knowing that dangerous code exists in these websites or applications and assume the business they are interacting with to be safe and secure.
The malicious code is designed to create or exploit vulnerabilities, leading to client-side security incidents and data exfiltration. (Malicious scripts can also target server-side systems and files.) Cybercriminals often inject malicious code into JavaScript, HTML, Flash, or another code executed within a browser.
How Are Malicious Scripts Used on the Client Side?
Malicious scripts can be used in a variety of different attack types, including cross-site scripting (XSS), HTML injection, JavaScript injection, DOM-based XSS, HTML stuffing, skimming, malvertising, and “drive by” malware attacks.
How Do Client-Side Malicious Scripts Work?
Malicious script attacks use interpreted language like JavaScript. An interpreted code needs an extra step, called an interpreter, to read it line-by-line, turning the human readable text into machine readable code before the machine can execute it.
This means that malicious actors can read the source code then inject and hide their malicious source code so that when the interpreter transforms it into machine readable code, the computer executes the command.
Who Is Targeted by Malicious Scripts?
Any sized business can be the target of a malicious script-based attack. Threat actors use malicious scripts to target a web application’s or website’s end users. The primary reason for these types of attacks is to steal sensitive information like personally identifiable information (PII), credit card data, or protected health information (PHI). Then, the cybercriminals sell that information on the dark web.
Cybercriminals focus their activities on industries known to collect non-public personal information (NPI), although all industries face a risk.
Some industries most at risk are:
- Financial Services & Banking
- Healthcare & Medical
- Ecommerce & Retail
- Travel & Hospitality
- SaaS and Technology
- Media Companies
- Cryptocurrency Exchanges & Blockchain
Other industries also affected by these types of attacks include:
- Real Estate
- Distribution & Transportation
- Education
- Manufacturing
- Energy
- Distribution & Transportation
Who Is Impacted by Malicious Scripts and What Is the Impact?
Malicious scripts can have a far-reaching impact on both end users and organizations, since they compromise websites and web applications.
End Users
Stealing end-user data is the cybercriminals’ end goal, so people browsing the internet or customers using a web application are the first impact layer.
The malicious script’s impact on data subjects can include complications associated with:
- Credit card holder data theft
- Other types of data compromise, including name, email address, password, birthdate, bank information
- Identity theft
- Financial loss/fraud
Organizations building websites and web applications from third- and fourth-party code
Today, websites and web applications are assembled using large chunks of third- and fourth-party pre-written code pulled from code repositories. It is becoming increasingly common for threat actors to intentionally place malicious code into code repositories and libraries with the hopes that the business will download the code and use it on their website or web application. Vulnerable or malicious code needs to be detected to protect both the organization and the end user. As part of a secure software development lifecycle (S-SDLC), developers and security professionals need to review the code to look for potential security problems.
The security incident arising from the malicious script can lead to:
- Reputation damage
- Customer churn
- Incident response and recovery costs
- Compliance fines
- Legal costs, including lawyer fees arising from potential lawsuits for contract violation and liability, as well as customer reimbursement
Types of Attacks Involving Malicious Scripts
- Cross-Site Scripting (XSS) attacks
- DOM-Based XSS
- HTML injection
- JavaScript injection
- HTML Smuggling
- Skimming
- Malvertising
- Drive-by skimming attacks
Malicious scripts & software supply chain attacks
Increasingly, developers use code libraries because they improve development time and software reliability. Developers often copy and paste code from open-source libraries into their projects. However, this means cybercriminals target them as a way to deploy malicious script attacks.
When malicious actors hide malicious code in these trusted libraries, any application using the compromised code is impacted. Since threat actors use these attacks as part of lateral movement across systems and networks, any application connected to the application with the compromised code is also at risk.
Further, every business using the application faces increased data breach risks as well as lateral movement and persistent attack risks.
How to Defend & Protect Against Malicious Scripts
Securing the software development lifecycle (SDLC) is fundamental to reducing the client-side attack surface and mitigating risks associated with malicious scripts.
Some best practices include:
- Shifting security left: Use a DevSecOps model that builds security into the development phase
- Maintaining safe code libraries: Review for blocklisted external libraries, regularly patch/update current libraries, minimize third-party code dependencies, secure access to libraries
- Automating attack simulations: Use automated solutions, like Feroot Inspector, that replicate user actions and attacker reconnaissance activities
- Continuously crawl web assets: Use automated solutions, like Feroot PageGuard, that apply security configurations and permissions to continuously monitor and protect application and websites
- Implement and enforce Content Security Policies (CSPs): Use an advanced, automated CSP to help define website communications, manage policies, and set restrictions.
- Continuously monitor attack surface: Identify and monitor all public internet-facing assets
- Use Subresource Integrity (SRI) automation: Gain visibility into anomalies or changes
