October 18, 2016 By Douglas Bonderud 2 min read

Buying products or services online always comes with a measure of risk. Does the business properly secure and store credit card data? Does it take steps to protect against cyberfraud?

While most companies recognize the need for PCI DSS-compliant policies and safe data handling, a recent CSO Online article noted another rising risk: malicious JavaScript. Nearly 6,000 online shops have been compromised by this code, which is specifically designed to intercept and steal payment card information.

Is Malicious JavaScript a Long-Term Threat?

This isn’t a new threat. Back in 2015, Dutch researcher Willem de Groot reported these online skimming tactics at more than 3,500 stores. But despite his warning, the situation hasn’t improved. The total number of affected stores has nearly doubled, and of the 3,500 originals, 750 are still putting customer credit card data at risk.

Here’s the problem: This malicious JavaScript not only targets pages with “checkout” in the URL, but also goes after payment plugins like Fire Checkout and PayPal to swipe consumer data. It’s deployed using known vulnerabilities in content management and e-commerce platforms to effectively get behind both HTTP and HTTPS-protected sites and grab information, but many companies don’t recognize the seriousness of the issue.

Some claim that since payments are handled by third parties, it’s not their problem, while others rely on HTTPS to safeguard their interests. But since this JavaScript is installed behind HTTPS at the server level, all information users enter into the checkout page is up for grabs. While 334 stores fixed their issues after the news broke last week, 170 new stores were later hacked.

Laying Down the Law

So how do companies protect their credit card data from malicious JavaScript and other attacks? They can start by recognizing that no e-commerce service is truly safe. Known vulnerabilities open holes for malware to slip through, and attackers are always looking for new ways to compromise lucrative payment portals.

In addition, companies need to consider the use of reliable third-party monitoring and detection tools that can alert them to possible avenues of compromise and help limit their total risk — an essential step given the increasing regulation of personal data storage, transmission and security.

Better consumer data protection will also demand more active involvement from big players in the online space. As noted by Fox Business, for example, search giant Google is rolling out a new policy as of January 2017: Any HTTP site that transmits credit card information or passwords will be considered insecure by the company’s Chrome browser.

Right now, HTTPS sites are displayed as secure and HTTP sites as neutral. Raising the threat profile on HTTP-only checkout processes should improve customer awareness and prompt greater demand for secure checkout options.

Financial data remains a high-value target for cybercriminals. Malicious JavaScript is simply the newest tool used to crack credit card information, and it reinforces the need for more active monitoring and supervision of e-commerce sites by sellers and payment processors alike.

It’s a reminder that there’s no resting on one’s laurels here, since even HTTPS is of no use if cybercriminals infect the servers directly. Companies, third parties and dominant online entities need to collectively tackle these sneaky swipers head on.

More from

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today