The global threat posed by Magecart and similar skimming malware continues to grow. Criminals use JavaScript obfuscation and data exfiltration techniques to steal sensitive information, such as credit card details, directly from websites. These attacks often go undetected due to the complexity and variability of the malicious code.
The Insikt Group released their Annual Payment Fraud Intelligence Report: 2024, which stated:
The volume of Magecart e-skimmer infections surged, reaching nearly 11,000 unique e-commerce domains—a threefold increase from 2023. This spike was driven by the CosmicSting vulnerability (CVE-2024-34102), alongside the use of out-of-the-box e-skimmer kits like “Sniffer by Fleras.”
At Santander Cyber Security Research (CSR), we believe in contributing to the security community by sharing actionable tools to detect and mitigate these threats. These Semgrep rules were crafted to identify malicious JavaScript patterns, obfuscation techniques, and credit card skimming operations at scale. Our goal is to help developers, security engineers, and organizations protect their websites and users.
Magecart attacks target online payment systems by injecting malicious JavaScript into websites, often stealing payment data in real-time. The key challenges include:
- Obfuscation Techniques: Skimmers heavily obfuscate their code to evade detection.
- Dynamic Code Execution: Attackers use
eval,Function, and other runtime techniques to hide their operations. - Data Exfiltration: Skimmers exfiltrate data using
fetch,WebSocket, or other covert channels. - Storage Abuse: Malicious scripts abuse localStorage and sessionStorage to persist stolen data.
This repository provides robust Semgrep rules to detect these patterns and disrupt such attacks before they cause harm.
Install Semgrep: You can install Semgrep via pip or by following instructions on semgrep.dev:
pip install semgrepgit clone https://github.com/Santandersecurityresearch/e-Skimming-Detection.git
cd e-Skimming-Detection
semgrep --config ./ path/to/your/codebase
Each rule is designed to detect specific malicious patterns. The results will include:
Rule ID: The name of the rule that triggered the match.
Message: Why this code is flagged.
Severity: Level of concern (e.g., WARNING).
Modify and adjust these rules to how you see fit. We love PR's too if you wish to make the project better for all.
| Rule ID | Description | Severity |
|---|---|---|
detect-obfuscated-js |
Detects obfuscated JavaScript and encoded strings | WARNING |
detect-credit-card-extraction |
Flags patterns for extracting and manipulating credit card data | WARNING |
obfuscated-data-exfiltration |
Identifies encoded data exfiltration techniques | WARNING |
detect-devtools-debugger-check |
Detects devtools and debugger anti-debugging techniques | WARNING |
detect-localStorage |
Flags abuse of localStorage for skimming purposes | WARNING |
When all set up, it should look like so:
These rules are provided as-is, without any guarantees or warranties. While they can significantly enhance detection capabilities, security is a shared responsibility. Always conduct your own testing and threat analysis. We have also added two Magecart samples for you to test these rules on. Both obsfuctated and reverse engineered.
For questions or suggestions, feel free to reach out to us via here as an issue.