APRIL FOOLS PRANK? ATTACKER HIDES BEHIND
"HARMLESS" THANK YOU PAGE & COOKIES
The Source Defense research team has uncovered a novel attack technique that cleverly disguises malicious activity. In this method, attackers compromise a first-party script to stealthily copy payment details into commonly used cookies—a process typically regarded as trustworthy especially when executed by first-party scripts.
Amusingly, the attackers name the cookie "csp_f_y," seemingly mocking the Content Security Policy (CSP) mechanisms designed to prevent such breaches. The exfiltration process is delayed until the user navigates to the seemingly innocuous "Thank You" page, a location often considered low-risk and thus less scrutinized. At this point, the malicious code activates, transmitting the harvested payment details to an attacker-controlled domain.
Compounding the challenge, the attackers utilize the window.location.href function which redirects the data without the ability to override this function, rendering traditional javascript proxy solutions ineffective in detecting or blocking the data exfiltration. CSP isn’t capable of reporting or blocking this function either.
Detecting and preventing Magecart attacks originating from server-side breaches of first-party scripts pose significant challenges. Traditional detection methods often focus on identifying malicious scripts loaded from external domains or suspicious activities on payment pages. However, when an attack does not exhibit either of these, detection becomes considerably more difficult.When topped with the redirect function mentioned above, it becomes almost impossible to detect; unless actively aware of this specific breach.
To address these challenges, organizations should implement comprehensive security strategies that include continuous monitoring of both client-side and server-side activities, regular code audits, and the adoption of advanced security solutions capable of detecting anomalous behaviors within trusted scripts. Furthermore, the client-side monitoring and protection capabilities should apply to all the pages on the websites and not just to those deemed sensitive. And lastly, keeping up to date on the latest evolving threats are critical in mitigating the risks associated with such sophisticated attack techniques.
This attack was recently observed live on a Canadian-based online toy shop, among other sites. The toy shop has since removed it. While it wasn’t one of our customers, we identified this technique independently through our ongoing research into emerging attack patterns. It's a reminder of how threats continue to evolve—and how our proactive efforts help keep our customers a step ahead, even when attacks are rare, stealthy, or short-lived.