Imperva Cyber Community

 View Only

Client-Side Protection: How Formjacking Attacks Work (and How to Prevent Them)

By Lynn Marks posted 10-21-2020 08:55

  
Found Image: https://unsplash.com/photos/vII7qKAk-9A 

Learn more about the anatomy of client-side data skimming.

We’ve already talked about some of the broad methods hackers use to compromise sensitive user data in an e-commerce environment. Some of the most common methods involve compromising the scripts that website administrators implement on their sites when adding client-side services.

In order to see how Imperva’s Client-Side Protection tool reliably defends against these types of attacks, we have to look at how hackers in groups like Magecart actually carry them out. These attacks can be quite sophisticated in structure.

Compromised Scripts Lead to Phony Domains

If an attacker manages to compromise a JavaScript code, the next step is setting up the destination domain for the skimmed data to be sent to. At this point, hackers will purchase and configure domains with names that are very similar to the names of the domains they are attempting to attack.

There are several ways to do this. One of the easiest and most common ways is simply creating a novel, legitimate-looking derivative of the victim’s original domain name. You can potentially add “dev” or “inc” to the end of any domain name and register the result as a brand-new domain. If the original owner hasn’t staked their claim on that derivative name, it is open for anyone who wishes to purchase it.

Another method relies on a technique called the IDN Homograph attack. This is an even more insidious way to set up and register a fake domain name. Many web browsers will display unicode URLs, which means that hackers can register domain names using international character sets that look just like the original characters.

For example, the domain registrar treats the character á as a completely different letter than the letter A. This means that a hacker could purchase and register “ámazon.com and even obtain an SSL certificate for their site with ease.

In this case, the diacritic mark makes it easy to see the difference, but there are international characters that look 100% identical to latin letters. The Cyrillic letter “en” uses a symbol that looks exactly like the letter H. If a hacker set up a phony domain using that letter, it would be impossible to tell the two apart just by looking at them.

One a hacker sets up this phony domain, the attack can begin. The compromised formjacking script sends a skimmed copy of every user’s sensitive data to this domain, and the hackers simply copy them from there.

Watch the webinar around How to protect your website from client-side attacks like Formjacking and Magecart with Imperva. 

How Client-Side Protection Catches JavaScript Exploits

Formjacking attacks can go undetected for incredibly long periods of time. Because of the way that IDN homograph exploits work, only an automated system can reliably identify when a URL has been replaced with a look-alike version.

Client-Side Protection does this by exposing unicode in its bare IDN character set form. If you took “ámazon.com” and removed the unicode, it would look like “xn--mazon-wqa.com”. This would be an obvious red flag telling you that this is not an authentic domain.

Client-Side Protection uses a native functionality called the Content Security Policy Header. It is compatible with all modern web browsers and adds no latency to the website underlying activities. This header gathers data and delivers reports on where JavaScript requests are being made, and what services are receiving them.

Imperva’s Client-Side Protection system parses out those requests and gives the user visibility into each one. This is where we can catch a bad login request going to a phony look-alike site, or find authorized transmissions of sensitive credit card data. Client-Side Protection’s Monitor mode gives security professionals total visibility into these services and allows users to choose what to do with them.

Every service is tagged in the system. There are four tags that a service can display:


  • Discovered. Once Client-Side Protection begins working, it will periodically discover new services as they are implemented. The Content Security Policy Header is always working to discover new JavaScript-enabled services making requests to the application.
  • Allowed. These are services that users have explicitly allowed to connect with the site.
  • Blocked. These are services that have been explicitly blocked from connecting with the site.

Client-Side Protection can also obtain additional information about the services connecting with protected websites. There are lots of insights given to help the user make decisions more quickly. 

While hiding a domain owner is not, by itself, a malicious activity, it is worth investigating further. Security professionals should ask why the domain owner does not wish to be identified, and consider whether the legitimate JavaScript service connection would behave that way.

This is how Imperva’s Client-Side Protection solution offers one-click mitigation. Users receive alerts as new services connect, and are able to detect changes in JavaScript requests over time. This ensures long-term safety from formjacking attempts and similar client-side attacks. The service is integrated with Imperva’s Attack Analytics, where users get the alerts.

Why Does Client-Side Protection Require Cloud WAF to Function?

Some users may wish to use client-side protection as a standalone product. Imperva requires client-side protection users to implement this JavaScript monitoring solution as a supplemental feature to its existing Cloud WAF solution.

By layering client-side protection inside our existing Cloud WAF service, we are able to guarantee one-click mitigation. This allows us to generate valuable insights without requiring users to make changes to their site code, or potentially break their websites. It makes client-side monitoring an out-of-the-box solution that generates no additional latency.

Learn More with the Imperva Community
The Imperva Community is a great place to learn more about how to use Imperva cyber security technologies like API SecurityCloud WAF,  Advanced Bot ProtectionDDoS Protection, and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts.

Related Blog Content:
Client-Side Protection: New JavaScript Exploits Bypass Website Security Policies


#CloudWAF(formerlyIncapsula)
0 comments
259 views

Permalink