In 2019 British Airways was fined a remarkable £183 million for a data breach of its systems that affected more than 380.000 customers. Magecart, the hacking group behind the attack, specializes in credit card theft and British Airways have not been their only target. Ticketmaster, Forbes, Newegg and numerous online webshops have suffered security breaches by Magecart that share a common characteristic: a digital skimmer that steals customer credit card information without the victim’s knowledge.

2019年，英国航空公司因其数据泄露影响了38万多客户，被罚款1.83亿英镑。 攻击背后的黑客组织Magecart专攻信用卡盗窃，而英国航空公司并不是他们的唯一目标。 Ticketmaster，Forbes，Newegg和许多在线网上商店都遭受了Magecart的安全漏洞，这些安全漏洞具有一个共同的特征：一个数字分离器，在受害者不知情的情况下窃取客户的信用卡信息。

In the real world, a skimmer is a small physical device inserted at payment terminals and designed to harvest data from credit cards during swipe. In the digital world, digital skimming is done through small pieces of javascript code injected in the target page that listen in on user interactions with payment forms and steal credit card information.

在现实世界中，撇渣器是一种插入支付终端的小型物理设备，旨在在刷卡时从信用卡中收集数据。 在数字世界中，数字掠过是通过在目标页面中注入一小段JavaScript代码完成的，这些JavaScript代码侦听用户与付款表单的互动并窃取信用卡信息。

Credit cards have been the epicenter of such attacks because of easier loot monetization in the dark web and black markets. However, several other types of information could become monetized as well in the hands of cyber criminal groups, such as financial information, personal and corporate information and health data. Considering the number and diversity of cyber criminal groups expertise, as well as the high success rate and stealth nature of the attacks, javascript injection could soon find a broader audience.

由于在黑暗的网络和黑市中更容易进行赃物货币化，信用卡已成为此类攻击的中心。 但是，其他一些类型的信息也可能在网络犯罪集团手中被货币化，例如财务信息，个人和公司信息以及健康数据。 考虑到网络犯罪集团专业知识的数量和多样性，以及攻击的高成功率和隐身性，JavaScript注入很快就会吸引更多的读者。

“Considering the number and diversity of cyber criminal groups expertise, as well as high success rate and stealth nature of the attacks, javascript injection could soon find a broader audience”

“考虑到网络犯罪集团的专业知识的数量和多样性，以及攻击的高成功率和隐身性，JavaScript注入将很快找到更广泛的受众”

骇客的历史 (A history of hacks)

In 2018 British airways suffered an attack from the Magecart group that managed to steal CVC codes, expiry dates and credit card numbers using 22 lines of code injected in the checkout page. The following snapshot shows the code used in the attack that creates a form reader sending stolen data to baways.com, which is a domain controlled by the attackers used to collect stolen credit card data.

2018年，英国航空公司遭受了Magecart集团的攻击，该组织使用结账页面中注入的22行代码窃取了CVC代码，有效期和信用卡号。 以下快照显示了攻击中使用的代码，该代码创建了将读取的数据发送到baways.com的表单读取器，baways.com是由攻击者控制的域，用于收集被盗的信用卡数据。

Ticketmaster was not directly compromised by Magecart, but it was affected by a supply chain attack. Inbenta, which is a third party supplier for ticketmaster, was breached in 2018 and as a result hackers were able to run malware directly in ticketmaster’s payment webpages through the compromised third party component.

Ticketmaster并未直接受到Magecart的威胁，但受到了供应链攻击的影响。 Inbenta是Ticketmaster的第三方供应商，于2018年遭到破坏，因此黑客能够通过受感染的第三方组件直接在Ticketmaster的付款网页中运行恶意软件。

The online merchant Newegg was hit in a similar fashion to British airways with Magecart injecting a slimmer version of 15 lines of code this time.

网上商家Newegg受到了与英国航空公司类似的打击，这次，Magecart注入了15行代码的精简版。

Forbes is yet another example of attack using the same technique on the subscription page where customers would provide their payment details. Moreover, on June 26th 2020 Trend Micro published details about eight US local government services that had fallen victim to Magecart.

《福布斯》是在订阅页面上使用相同技术的另一种攻击示例，客户将在该页面上提供其付款详细信息。 此外，趋势科技于2020年6月26日发布了有关八家美国地方政府服务机构的详细信息，这些机构已成为Magecart的受害者。

检测正在进行的攻击 (Detecting ongoing attacks)

Defense must be done in layers and not at a single point. This means implementing a series of often overlapping controls ranging from security principles and procedures, secure configuration baselines, web application scanners, keeping third party components up to date and vulnerability assessments to name just a few.

防御必须分层次进行，而不是单点进行。 这意味着实施一系列经常重叠的控件，包括安全性原则和过程，安全配置基线，Web应用程序扫描程序，保持第三方组件最新以及漏洞评估等。

This article discusses a detection technique that can be used for monitoring production environments in order to warn companies of ongoing javascript injection attacks.

本文讨论了一种检测技术，该技术可用于监视生产环境，以警告公司正在进行的javascript注入攻击。

In order to inject the malicious javascript attackers have to alter javascript’s footprint on the target webpage. Practically this means that either malicious code has to be injected into existing javascript files, or the javascript skimmer has to be introduced as a new script. In both cases defenders have an opportunity to detect these changes and act quickly to restrict damage. To do this cryptographic structures called hash functions can be used.

为了注入恶意javascript攻击者，必须更改javascript在目标网页上的覆盖范围。 实际上，这意味着要么必须将恶意代码注入现有的javascript文件中，要么必须将javascript分离器作为新脚本引入。 在这两种情况下，防御者都有机会发现这些变化并Swift采取行动以限制损害。 为此，可以使用称为哈希函数的密码结构。

Cryptographic hash functions are one-way functions that produce a deterministic output y for each input x. The output y remains the same as long as x remains the same and in theory y is unique for x. For example, the MD5 hash of a the file test.txt containing the phrase “Hello World!” is the following:

加密哈希函数是一种单向函数，可为每个输入x产生确定的输出y。 只要x保持相同，输出y就会保持相同，并且理论上y对于x是唯一的。 例如，包含短语“ Hello World！”的文件test.txt的MD5哈希。 是以下内容：

“The hash will remain the same as long as the contents of the file remain the same”

“只要文件的内容保持不变，散列将保持不变”

Using this property of hash functions hashes of javascript can be calculated at regular time intervals. If the hash changes then a change in the contents of javascript is detected.

使用哈希函数的此属性，可以按固定的时间间隔计算javascript的哈希值。 如果哈希值发生变化，则将检测到javascript内容的变化。

检测例 (Detection example)

pizzalove.com has a checkout page where customers can enter their credit card details to order pizza. In order to support webpage functionality jquery.min.js is used included in the checkout page as follows:

pizzalove.com有一个结帐页面，客户可以在其中输入信用卡详细信息来订购披萨。 为了支持网页功能，jquery.min.js用于结帐页面，如下所示：

openssl can be used to calculate the hash of jquery.min.js version 1.12.4 included in the webpage, using the SHA-256 hash algorithm as follows:

openssl可用于使用SHA-256哈希算法计算网页中包含的jquery.min.js版本1.12.4的哈希，如下所示：

Now, suppose that hackers breach pizzalove’s systems and insert a digital skimmer into jquery.min.js, similar to the ones presented above. The value of the hash changes this time to another value because the attackers altered the contents of jquery.min.js:

现在，假设黑客违反了Pizzalove的系统，并在jquery.min.js中插入了一个数字分离器，与上面介绍的类似。 哈希值这次更改为另一个值，因为攻击者更改了jquery.min.js的内容：

By comparing the old hash value to the new one defenders should be able to detect a change in version 1.12.4 of jquery; a very interesting finding that should raise suspicion. In a similar way, if malicious javascript was injected as a new script in the page defenders should be able to detect the new script insertion.

通过将旧的哈希值与新的哈希值进行比较，防御者应该能够检测到jquery版本1.12.4中的更改； 一个非常有趣的发现，应该引起怀疑。 以类似的方式，如果将恶意JavaScript作为新脚本注入到页面防御程序中，防御者应该能够检测到新脚本的插入。

Github项目：Suricatajs (Github project: Suricatajs)

The process of monitoring and hash calculation can be automated easily and to better illustrate this Suricatajs was created. Suricatajs is a python project built to facilitate monitoring of production javascript and to create alerts when changes are detected.

监视和哈希计算过程可以轻松实现自动化，以更好地说明此Suricatajs的创建。 Suricatajs是一个python项目，旨在帮助监视生产javascript并在检测到更改时创建警报。

A registry of javascript files per webpage in scope is created to detect new files. The script can be scheduled to run regularly and when a particular version of javascript is altered a warning is generated. Implemented functionality is basic on purpose but can be extended to adapt to the needs of various companies.

将在范围内每个网页上创建一个javascript文件注册表，以检测新文件。 可以安排脚本定期运行，并且当更改特定版本的javascript时，会生成警告。 已实现的功能是有目的的基本功能，但可以扩展以适应各种公司的需求。

讨论区 (Discussion)

Security teams are the natural driving force in setting security requirements and raising awareness for threats such as the one discussed here. Building a new tool or extending Suricatajs should be easy and can be done by the security team, especially the application security team if your company has one.

安全团队是制定安全要求和提高对威胁的意识的自然动力，例如此处讨论的威胁。 构建新工具或扩展Suricatajs应该很容易，并且可以由安全团队来完成，特别是如果您的公司有的话，则由应用程序安全团队来完成。

However, the results of the scanner should be made available to developers too. It is the developers who can quickly identify if a new javascript insertion is malicious or not and whether a change is part of a recent release. Make sure to post Suricatajs alerts in slack or Teams channel and keep developers in the loop!

但是，扫描仪的结果也应提供给开发人员。 开发人员可以快速确定新的javascript插入是否有害以及更改是否是最新版本的一部分。 确保在Slack或Teams频道中发布Suricatajs警报，并让开发人员处于循环中！

“Post Suricatajs alerts in slack or Teams channel and keep developers in the loop!”

“发布Suricatajs会在松弛或团队渠道中发出警报，并使开发人员处于循环中！”