Autoloaded Server-Side Swiper


Autoloaded Server-Side Swiper (Aug 6, 2019)

Sucuri published a blog post analyzing server-side swipers and how they differ from commonly reported client-side swipers. In these campaigns, the swiper's JavaScript is injected directly into a compromised site's HTML, which means web scanners can quickly identify their presence. Server-side swipers, however, are injected into the backend code hosted on the site's server. The researchers provide information about an investigation they worked on that leveraged this technique to hide a swiper, and conclude that once threat actors compromise an e-commerce site, they can inject both client-side and server-side credit card stealing malware.

Recommendation: Owners and users of e-commerce sites should not rely exclusively on external scanners. In most cases, they do not reveal server-side malware, which have access to the majority of payment details. Employing server-side malware scanners and file integrity control tools is recommended to monitor for unwanted file modifications and scan for potential vulnerabilities.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.