Magecart mayhem has compromised online shoppers for years, and its activity has ramped up with attacks against Smith & Wesson, Macy's, and, most recently, Rooster Teeth. In a nutshell, attackers inject malicious code onto the checkout page of e-commerce platforms to lift payment data.
Normally, everyday consumers and small businesses learn about these incidents the hard way – after data has already been stolen. Security experts have advised the use of Content Security Policy (CSP) and Sub Resource Integrity (SRI) to prevent Magecart attacks. However, people and organizations with limited resources may not have the means to put these measures in place.
To give these users a Web security edge, Trustwave senior security researcher Michael Yuen today published a blog detailing how they can use a browser to check whether a shopping website is compromised. The process starts by accessing urlscan[.]io and running a public scan for the chosen site. Under "Domain & IP information," they can see IPs and domains of all requests performed on the site.
In an example, Yuen shows what it looks like when a request doesn't come from the same domain as the website, or from Facebook or Google. The "IP Detail" tab shows which domain the request is from; visitors also can see what is loaded on the site by clicking the HTTP tab located on top. When a script file is not loaded from the same domain as other script files, it's "a big red flag." Clicking "Show Response" reveals an obfuscated Magecart script in the suspicious domain.
Yuen also explains how users can look up the exfiltration URL to see where the exfiltrated data is being sent. Read more details in the full blog post here.