What is JavaScript?
JavaScript is essentially a scripting programming language that allows you to implement complex items onto your webpage. Every time a webpage becomes interactive with the user, e.g interactive maps, videos, countdown timer and music, and even colours, chances are JavaScript is involved. Facebook is a great example of how JavaScript works smoothly and effectively, with videos playing smoothly, perfect animation and constant post updates.
What can Javascript do?
JavaScript is one of the most commonly used programming languages worldwide and is commonly known as a Client Side Script. The majority of web applications, such as internet search engines work because of an interaction between a user’s device and a remote server.
A Client Side Script is a programming language that performs its tasks entirely on the users machine, and doesn’t need the use of the server to function. As long as the website you’re accessing has been loaded, you’re still able to browse this page if the internet cuts out, you won't be able to load a new page as this requires the use of server interaction which requires the internet.
The core JavaScript language consists of common programming features which will allow you to do common things such as:
- Store values inside of variables - for example you can store customers names under the variable [name]
- Operations on pieces of text (strings in programming) - You can take the string ‘New Player’ and link it with the [name] variable to create a text label e.g “New Player Ben”.
- Running code in response to certain events that happens on your webpage - This will allow the events to be updated when a website visitor clicks on a certain Call-to-Action (CTA)
- Autocomplete - Complete data for you
- Playing Audio and Visual - Social Media Shared Videos + Webpage
- Repairing browser compatibility issues.
Autocomplete is a common function among many internet users today, for frequent searches, email addresses and login details. Essentially what happens is, JavaScript reads the letters as the user types, send these to a remote server and then the server will send back suggestions.The software is able to analyse the word search and runs algorithms to suggest the users search term.
JavaScript has a functionality built on top of the core language. This is called Application Programming Interfaces (API’S). API’s essentially allow developers to create complex functionality more easily.
Why should I care?
More interactive and engaging websites
Firstly, it makes your website more interesting! JavaScript may not be the only client side scripting language on the market, but it is certainly the most used worldwide.. JavaScript is integral to the online experience, as developers continue to build increased interaction and complexity into applications. The software is responsible for the majority of the apps / web pages we use today, for example Instagram, Facebook, Interactive Web Pages, eCommerce, Content Management Systems and more.
Source of infections
Since JavaScript commonly is widely used by web developers to provide added features to a website it is also a fan favourite with attackers. As more and more eCommerce websites adopt redirected payment solutions attackers need to change the game - and they have.
More and more of the investigations that come through our Forensic team has involved JavaScript as the primary cause of payment card data loss. So much so that the industry has started to coin a new term “digital skimming” related to these attacks
This is simply because the attacker needs to be able to prevent the eCommerce’ website from redirecting customers away to the payment page, or at the very least they need to find a way to intercept the payment data… and the best way to do so is to simply write a piece of JavaScript that runs on the client side, and has the opportunity to grab the data before the customer clicks the pay now button.
Our forensic team typically finds JavaScript code that is designed to wait until a consumer is on the checkout page and has clicked the small radio button relating to their payment option. Once the consumer clicks the radio button, the malicious functions in the JavaScript get to work and simply grab a copy of the data, or inject/place a fake payment form into the page. The consumer then continues to complete the payment form thinking that this is a normal behaviour for the website. Once the payment information has been provided, the malicious functions typically exfiltrate the information to an external domain before removing the payment form and allowing the customer to be redirected to the legitimate payment page.
The infamous Magecart malware
Magecart is a group of malicious hackers who target eCommerce sites and steal customer payment card data.
The attackers often place JavaScript code onto the victims website in order to capture payment card data as it is input by the customer. The attackers achieve this through a variety of ways:
- The JavaScript simply scrapes the payment form at the time of checkout and exfiltrates the data.
- The JavaScript manipulates the payment flow so that an outsourced method; such as an iframe or redirect is prevented from operating and the malware provides the consumer with a fake payment form in the page. Once completed, the data is scrapped and exfiltrated.
To read more about Magecart malware here, click the link here.
Visa Security Alert of August 2019
JavaScript skimming attacks attacks have been so frequent in 2019 that Visa has released an alert to eCommerce service providers warning and informing them about the attacks.
You can read their their Security Alert here.
What does this mean for me?
You as a web developer or eCommerce manager/owner, will have to balance the amount of interactive features you want on your website and the risk of getting breached.
Nowadays, security is just as fundamental as engagement to the success of a website.
In the end you’ll have to see how much of your time is worth routinely checking if your website has been infected or breached. If you find that you or someone in your team has enough time to check logs and test your website, then maybe you don’t need a website security software. If you don’t, it’s worth checking our website security solution FGX-Web, that monitors your website and alerts you of any suspicious activity, including JavaScript injections. You can also upgrade and add protection your website, blocking 99.9% of online threats.
For monitoring and alerting check out FGX-Web.