Skip to content

Check your E-commerce website for malicious JavaScript

Increase in malicious JavaScript attack on E-commerce websites.

If you are running a website that takes credit card payments and have integrated a shopping cart – please take note:

A relatively simple technique, that has been around for many years has suddenly been seen to be on the increase.

The technique allows the injection of JavaScript to POST credit card details to the attacker’s web-server, and for the end user looks like a ‘normal’ payment process.

The malicious JavaScript is sometimes added to the retailer’s website, or sent via integrated partners, such as sales feeds, that utilise JavaScript libraries, with a direct connection to your retail website.

We have seen many websites that are vulnerable to this issue, with the JavaScript code added to the payment flow, typically pointing to a malicious web-server.

Details being captured are LIVE credit card details being posted at time of purchase.

From a PCI DSS compliance standpoint, as a retailer operating an E-commerce website, it is mandatory to adhere to the PCI DSS requirements.

It is likely that you will only submit compliance based on the scope as defined by your E-commerce environment, for example; SAQ-A, where testing for this vulnerability is outside of the requirements.

It is imperative that you review any non-payment JavaScript implementations that may be imbedded on your payment pages, e.g. marketing feeds, analytics etc. and look to minimise authorised non-payment scripts on your payment pages.

> Start now!
Need help with PCI DSS Compliance 

Secure South West 11 event - access to cyber security expertise locally
Cyber security: shouldn't be news - user access should be controlled
Scroll To Top