The JavaScript Leech – From Fake Traffic Generation to Cryptojacking

Threat actors are always finding new ways to exploit vulnerabilities and perform fraudulent activities. While the global pandemic drove a sharp rise in online traffic, it also brought a new wave of sophisticated attacks.

Imperva Research Labs has seen an uptick in attackers utilizing JavaScript to perform Magecart-style attacks to access and steal personally identifiable information (PII). To add, they’ve witnessed how a behavior they refer to as JavaScript Leeching can be abused to perform fraudulent activates by injecting JavaScript into a website to exploit traffic and use its visitors to perform actions completely under the radar.

Imperva Research Labs uncovered a full-fledged ad-fraud operation to sell fake traffic. The team discovered a Chrome extension that was exploited and used for conducting a large scale ad-fraud in which scammers were selling traffic to specific websites. By injecting the malicious JavaScript into the target domain, the extension was able to “leech” onto that domain’s visitors and generate traffic to websites paying for their “services”.

This type of JavaScript fraud can also be used for cyptojacking. As recently examined with the Coinhive domain, visitors were used to mine cryptocurrency without them knowing. Similar to the ad-fraud operation, both attack methods stemmed from JavaScript. But instead of showing ads to visitors, Coinhive used JavaScript to steal CPU power, mine cyptocurrency, and make a profit.

We sat down with Erez Hasson, Strategist, Application Security, Imperva to learn more about these cases of JavaScrip fraud and how organizations can defend against it.


Why is JavaScript being utilized by hackers?


"JavaScript makes for a dangerous combination of an easy-to-use tool that’s difficult to manage by security teams. Many organizations today are heavily reliant on third-party services like point-of-sale (POS) modules, appointment schedulers, content widgets, live chat and more. Security teams struggle to keep inventory of all these services executing in their applications at any given moment, making them a blind-spot. Even if you could keep up with their inventory, how would you know if a familiar service -- newly compromised -- was exfiltrating data? In addition, the fact that JavaScript is an extremely flexible tool, and easily manipulated in numerous ways to benefit bad actors, makes it an ideal vector for abuse."

What kind of uptick are you seeing in attackers utilizing JavaScript? (metrics) ​


"Across the industry, we are seeing increased malicious activity in retail. On average, most online retailers today use 31 JavaScript resources per site. They also use online forms extensively (e.g. login page, checkout page, etc.), which is making them an ideal target for formjacking and Magecart attacks."

Have you uncovered any ad-fraud operations recently?


"Imperva Research Labs has recently uncovered a massive ad-fraud operation aimed to take advantage of traffic to a popular online retailer. The scammers were seeking to make a profit by selling traffic to their customers. They used a compromised Chrome extension to inject malicious JavaScript into a target website. That JavaScript snippet was then used to leech onto the traffic from the targeted website and direct it to customers paying for their services."

What else can JavaScript fraud be used for?


"Embedded JavaScript code can be used for malicious monitoring mouse movements and keystrokes without a user’s knowledge; tracking user behavior; code injection to exploit a user’s browser, stealing cookies and impersonating users to perform actions on a separate website."

How can organizations combat JavaScript fraud?


"Make sure all current and future third-party services are secure. It is essential for the security organization to have full visibility into third-party JavaScript executing on their applications. This isn’t an easy task considering security isn’t always a part of the development cycle. Taking advantage of HTTP Content-Security-Policy headers is another option, yet it is difficult to implement and maintain across the organization. Also consider adopting a dedicated Client-Side Protection solution that enables an easy workflow to discover, review, mitigate and monitor any JavaScript-based service on applications."


###