The world of cardholder data compromises is a fast-moving one, and one of the areas where this rapid evolution is most visible is in the ways attackers hide their malicious code. The two strategies for code obfuscation that we most commonly see during our investigations are attempts to disguise the code as something benign, or encoding the data in a format makes it unreadable for a human or an automated processes based upon keyword detection.

Examples of the first strategy are as simple as using a URL to host malware that at first glance can be confused with a legitimate service provider, googlc-analytics [dot] cm, for instance.

The other strategy would include methods such as the classic PHP obfuscation "eval(base64_decode(".

A recent investigation carried out by 3B Data Security identified a new approach that would fit within the latter category: obfuscation of JavaScript code using the logical operators AND ("&&") and OR ("||").

The following snippet of code was found within a merchant's e-commerce website:

The code has been split by the attacker to disguise its true purpose, with different ways of concatenating text used to rebuild the final malicious code. Further obfuscation has been added using the "&&" and "||" logical operators.

To determine what is actually happening here, consider the following sections:

('on' || "scroll=bottom")

and

('finished' && 'change')

We can begin to decode these statements using the Web Console built into modern browsers:

When applied to strings rather than boolean values, the OR operator ("||") returns the left-hand operand, whilst the AND operator ("&&") returns the right-hand argument.

By combining this with string concatenation, the rest of the code can be deobfuscated:

this[('on' || "scroll=bottom")  +  ('ready' || "image") +( "moz-loaded" && 'state' + ('finished' && 'change'))]

becomes

this[onreadystatechange]

Applying this methodology across the entire snippet, we arrive at the deobfuscated code:

The code itself was designed to access a picture file saved on the merchant's web server. Analysis of this file confirmed that it had been modified by the attacker, with further malicious code designed to capture payment card data during the checkout process appended to the end of the file.

Typically, compromises of this nature involve unauthorised access to the website's administration pages via a compromise of user account credentials. To help protect against this type of attack, ensure that complex passwords are in place, with multi-factor authentication used to further secure accounts. Restricting access to the administrator panel to an allowlist of approved IP address should also be implemented.