Cloudflare launches JavaScript dependency dashboard utility to warn of Magecart-style fraud

Script Monitor aims to skate skimmers

Cloudflare has launched a tool designed to help prevent attacks on Magecart-style payment card processing.

Beginning in 2015, cybercrime groups stole payment card information from Magento apps by infecting third-party plugins with malicious code.

Victims of attacks on the Magecar-style software supply chain include Ticketmaster, Newegg, British Airways and others.

Shield up

In response, Cloudflare has launched Script Monitor, a tool for recording site JavaScript dependencies to pick up potentially malicious changes that could be signs of a Magecart attack.

Script Monitor – available as a beta – is the first available component of Page Shield, a client-side security product from Cloudflare that was unveiled on Thursday (March 25th).

Script Monitor analyzes legitimate third-party code on the site and alerts the customer when any new code is added or existing code is changed.

Stay up to date with the latest Magecart safety news (skimmer)

John Graham-Cumming, technical director of Cloudflare, told Daily Swig that at least initially it will be up to customers to determine if the JavaScript dependencies that appear on dashboards are good or bad.

“The initial release of Page Shield will generate an addiction report available both through the dashboard and through an API that will contain links to the relevant JavaScript files that are detected,” Graham-Cumming explained.

“The goal is to provide insight into these startup dependencies and expand the report with signals from Cloudflare to identify malicious vs [versus] not malicious in the next iteration. “

According to Cloudflare, existing browser technologies, such as Content Security Policy (CSP) and Sub-Resource Integrity (SRI), provide some protection against client-side threats, but have some drawbacks that its Script Monitor is able to overcome.

Due to Cloudflare’s unique position between application origin servers and end users, we can change responses before they reach end users. In this case we add an additional one Content-Security-Policy-Report Only header to the pages as they pass through our edge.

When JavaScript files attempt to execute on the page, browsers will send the report back to Cloudflare. Because we use the header only for the report, application owners do not have to maintain permission lists for relevant insights.

For each report we see, we compare the JavaScript file with the historical dependencies of that zone and check if the file is new. If so, we activate the alert so customers can investigate and determine if changes are expected.

The Shield can already be adjusted to some extent, but Cloudflare plans to further refine this aspect of the technology to avoid bombarding users with too many alerts.

Graham-Cumming said: “As we further develop the product, we plan to expand both the alert capabilities and data available in the reports to highlight malicious in relation to [versus] unintentional changes according to our detection mechanisms. “

Follow the latest browser security news

Client-side security is only one part of web application security, according to Graham-Cumming, who added that an in-depth defense approach is needed.

“Businesses should approach the problem holistically and consider compatibility with others must have solutions such as WAF, API protection, SSL management and so on,” Graham-Cumming concluded. “Cloudflare’s solutions are fully compatible with each other.”

Given Cloudflare’s online position, “we have a great opportunity to ‘solve’ Magecart-style attacks,” according to Graham-Cumming.

Shield, whose Script Shield is the first component available, is part of Cloudflare’s broader client-side security promotion. Earlier this week, Cloudflare launched Remote Browser Isolation as a means for customers to mitigate client-side attacks in worker browsers.

RELATED Magecart attacks in 2021: Cat and mouse game continues between cyber-thieves, researchers and law enforcement agencies