Blog

Cisco client-side Magecart JavaScript attack

Another day, another high-profile client-side JavaScript attack. This morning, we read that Cisco is the next victim of malicious code being

Sep 06, 2024 • 5 min read

Himanshu Anand Software Engineer

Another day, another high-profile client-side JavaScript attack. This morning, we read that Cisco is the next victim of malicious code being loaded through a third-party script.

The Cisco Merchant website operates on the Magento Enterprise framework, which is widely used by eCommerce websites. Magento offers a robust and scalable platform, but like any system, it’s vulnerable to exploitation if security patches and updates aren’t applied timely. The exact version of Magento in use at the time of the attack was Magento 2.4 (Enterprise).

Wappalyzer detection of Magento 2.4 Enterprise running on Cisco's site

Attacks targeting the Magento frameworks, have over time gotten their own nickname: Magecart attacks.

The attackers use a third-party script which inserts malicious code, often through a domain, to steal credit card and personal information. E-commerce sites are often a target in these attacks.

For more detailed information about vulnerabilities related to Magento, check these links:

The malicious script decoded

During our analysis, we discovered the following injected script on the website:

Injected script tag loading malicious code from rextension.net

This script, hosted on the domain

rextension[.]net/za/, which is associated with an IP address located in Russia (82.202.163.229), was found to be retrieving additional obfuscated code. The domain was recently registered on August 30th, 2024, making it just 7 days old at the time of our analysis on September 6th, 2024.

Initial obfuscated payload retrieved from the rextension.net domain

WHOIS lookup placing the rextension.net domain on a Russian IP

Why this matters

The domain's recent registration raises red flags as it could indicate a fly-by-night operation designed for quick exploitation before being abandoned.
Obfuscated scripts like these are difficult to detect without specialized monitoring, making them especially dangerous for both website owners and their customers.

How cside would've stopped this attack

Had the Cisco merchant website have cside in place, our detection engine would've caught this attack. One of our systems checks for newly registered domains, and in testing our engine caught this and alerted the user of this anomaly. The script itself was blocked from loading in browser of the test user, stopping this attack before it could take place. Here can be seen when this domain was registered (safe link).

Sign up for free and protect your site in seconds.

Deobfuscating the script step-by-step

The script retrieved was highly obfuscated, making it difficult to easily analyze. Below is just a portion of the obfuscated code:

Heavily obfuscated JavaScript pulled from the compromised Cisco page

The above script is multi-layer obfuscated JavaScript, which was loaded into a debugger.

Obfuscation is a method used to make code difficult to understand, typically as a means of hiding its functionality or protecting sensitive data. However, for analysts, developers, or security researchers, understanding the underlying functionality is essential and legal.

We put a breakpoint at:

Browser debugger paused at the first breakpoint inside the obfuscated script

And executed the script and, after couple of decodes, we got two interim decoded JavaScripts.

The first level of obfuscation is a function that takes an argument (Decoded right before the script) and transforms it using various JavaScript methods, such as string manipulation and character encoding.

First layer of the obfuscated Magecart script after partial decoding

A closer look will:

Browser debugger paused at the second breakpoint inside the obfuscated script

The final decoded version:

This snippet confirms that the script is focused on payment card fields, but it's still partially obfuscated, with functions like _0xDCAD and _0xDBA3. These functions further manipulate the content, and after more layers of decoding, the final script emerges.

Final decoded JavaScript snippet that targets payment card form fields

Final decoded layer of the obfuscated payment-card-stealing script

Key aspects of the script

Obfuscation: The script is heavily obfuscated, using functions like _0xDCAD, _0xDBB6, _0xDBC9 to create multiple levels of encoding and obfuscation. This is typical of malware or scripts trying to hide their actual functionality.
Input Collection: The script collects information from HTML input elements identified by CSS selectors such as #authnetcim-cc-number, #authnetcim-cc-exp-month, #authnetcim-cc-exp-year, and #authnetcim-cc-cid. These are typically fields where users would input sensitive payment information.
Data Handling:- The data collected (credit card number, expiry date, CVV, etc.) is gathered in the ffewq object.

The script then encrypts this information using AES encryption (via functions like encrypt, decrypt, round, etc.).
Once encrypted, the data is sent to a server using jQuery.ajax() calls (seen in the jQuery[_0xDB90[51]] section).

Encryption: The script uses AES (Advanced Encryption Standard) for securing the data before sending it out. This includes several functions handling AES encryption logic (addRoundKey, mixColumns, encrypt, etc.), which are standard components in an AES encryption process.
Periodic Execution: The script is designed to run at regular intervals (setInterval(_0xDBA3, 100);) to continuously check or send the collected data.

Please know that the cside dashboard does this process for you, deobfuscating script to make them easier to read and analyze.

cside dashboard showing the deobfuscated jsDelivr script content

What happened in this attack

One of the possible vulnerabilities that may have been exploited in this attack is known as CosmicSting. This is a known exploit in the Magento platform that has been documented and researched. You can read more about it in detail at SanSec Research on CosmicSting.

Client-side attacks such as this one can be devastating to both businesses and customers, highlighting the importance of constant vigilance and the implementation of sophisticated security measures. Companies should ensure that they apply patches, monitor for suspicious activity, and utilize advanced tools like those offered by cside to mitigate risks.

Software Engineer Himanshu Anand

I'm a software engineer and security analyst.

Don't just take our word for it, ask AI

FAQ

Frequently Asked Questions

Attackers exploited a Magento 2.4 vulnerability — most likely CosmicSting — to inject an obfuscated script into the page. The script was hosted on the freshly registered rextension.net domain and skimmed payment card data from the checkout form.

The attacker domain was only seven days old at the time of the analysis, so no threat feed had labelled it malicious yet. Client-side monitoring catches the behaviour — a script suddenly reading credit card fields — instead of relying on a domain reputation that does not exist yet.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Book a demo

Start for free

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics

Dark cside blog cover with a blue pixel wave and checklist about unauthorized gambling pixels and GDPR liability

GDPR and Online Gambling: Why Unauthorised Pixels Create a Dual Liability Problem

Unauthorised pixels on gambling sites trigger GDPR liability and ad-account bans at once, even when the operator never installed them. Here's why.

How to Block Bytespider (TikTok's AI Crawler)

Bytespider crawls your site for Bytedance's AI systems. Learn how to block it with robots.txt and IP ranges, and the key data sovereignty concerns.

Dark blog cover showing three malicious script casino attack methods: redirects fired from inside the browser, shadow GTM containers loading rogue tags, and geo-targeted mobile-only payloads

How Malicious Scripts Hijack Casino Player Journeys

Script-injected redirects divert casino players before they reach the lobby. Network tools miss them entirely. Here's how detection must work.

Dark cside blog cover with a blue pixel wave and checklist about APAC gambling script security

Client-Side Script Security for APAC Online Gambling Operators

How APAC online gambling operators in Japan, Singapore, the Philippines, and Australia can monitor third-party scripts across real player sessions.

How to Block Amazon Buy for Me on Your Website

Amazon Buy for Me shops your site for Prime users. Learn how it collects pricing and product data and how browser-layer detection gives you control.

Account Takeover Prevention: The Complete 2026 Playbook

The 2026 account takeover playbook: an end-to-end model for login, recovery, session, and post-auth defense against AI-agent and bot-driven attacks.

Dark cside blog cover with a blue pixel wave and checklist about compromised affiliate scripts stealing casino revenue

How Compromised Affiliate Scripts Steal Online Casino Revenue

Compromised affiliate scripts redirect players, steal commissions, and manipulate UTM attribution on casino pages, silently and at scale.

Dark blog cover showing three browser extension attack vectors: redirects to phishing clones, session token theft and account takeover, and payment fields rewritten at the DOM

How Browser Extensions Attack Online Casino Players: What Operators Can Do About It

Browser extensions can steal session tokens and hijack payments on casino sites. Here's how they attack, why servers miss it, and how to detect them.

How to Block AI-Powered Fake Account Creation

AI agents create fake accounts with human-like behaviour that defeats CAPTCHA. Learn the browser-layer signals that reveal automated registrations.

How to Block CCBot (Common Crawl's AI Crawler)

CCBot feeds Common Crawl datasets used to train GPT-3, BLOOM, LLaMA, and many other AI models. Learn how to block it and what blocking actually does.