The JavaScript Leech – From Fake Traffic Generation to Cryptojacking

Threat actors are always finding new ways to exploit vulnerabilities and perform fraudulent activities. While the global pandemic drove a sharp rise in online traffic, it also brought a new wave of sophisticated attacks.

Imperva Research Labs has seen an uptick in attackers utilizing JavaScript to perform Magecart-style attacks to access and steal personally identifiable information (PII). To add, they’ve witnessed how a behavior they refer to as JavaScript Leeching can be abused to perform fraudulent activates by injecting JavaScript into a website to exploit traffic and use its visitors to perform actions completely under the radar.

Imperva Research Labs uncovered a full-fledged ad-fraud operation to sell fake traffic. The team discovered a Chrome extension that was exploited and used for conducting a large scale ad-fraud in which scammers were selling traffic to specific websites. By injecting the malicious JavaScript into the target domain, the extension was able to “leech” onto that domain’s visitors and generate traffic to websites paying for their “services”.

This type of JavaScript fraud can also be used for cyptojacking. As recently examined with the Coinhive domain, visitors were used to mine cryptocurrency without them knowing. Similar to the ad-fraud operation, both attack methods stemmed from JavaScript. But instead of showing ads to visitors, Coinhive used JavaScript to steal CPU power, mine cyptocurrency, and make a profit.

We sat down with Erez Hasson, Strategist, Application Security, Imperva to learn more about these cases of JavaScrip fraud and how organizations can defend against it.

Why is JavaScript being utilized by hackers?