Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Posted 6 months ago on · Permalink