Blog Attacks

Kuwait ecommerce site is being used to facilitate client-side skimming attacks

A popular e-commerce site in Kuwait, running an outdated version of Magento (2.4), has been compromised by a malicious JavaScript injection,

Oct 03, 2024 • 2 min read

Himanshu Anand Software Engineer

What happened on Shrwaa.com

A popular e-commerce site in Kuwait, running an outdated version of Magento (2.4), has been compromised by a malicious JavaScript injection, exposing customer payment data. The vulnerability, likely linked to the CosmicSting bug in Magento, has been patched, but sites not updated remain at risk.

Compromised Shrwaa Magento storefront still serving customers

Unlike other impacted sites, Shrwaa[.]com is being exploited as infrastructure for additional attacks. A URL scan shows numerous sites referencing Shrwaa[.]com, which hosts multiple malicious JavaScript files:

Directory listing of malicious JavaScript files hosted on shrwaa.com

Since this domain is currently not being flagged by threat feeds (a big issue when it comes to client-side attacks), the attackers use it as infrastructure and to speed up the process of infecting more sites.

urlscan.io results showing many sites referencing shrwaa.com

One file called jquery.js is only loosely obfuscated, giving us insight into how the injection works. This file creates a simple HTML page that tricks users into entering their payment details. These fake pages overlay the legitimate payment forms:

Fake checkout overlay injected on top of Shrwaa's legitimate payment form

Since no 3rd party script monitoring and security practice is in place, this attack remains active, and likely has been active since December of 2023.

Attacks remain common on the Magento platform. These are known as Magecart attacks, and some of the largest incidents have involved similar tactics. For prevention guidance, see our guide to client-side security for eCommerce.

If Shrwaa[.]com had cside in place, it would have blocked the malicious code and alerted the site to remove it. We have notified them and other sites of the attack.

You can protect your website for free by creating a cside account.

Software Engineer Himanshu Anand

I'm a software engineer and security analyst.

Back to top

Don't just take our word for it, ask AI

FAQ

Frequently Asked Questions

Shrwaa is not just compromised — its infrastructure is being used to host malicious JavaScript for other attacks. The site overlays fake payment forms on top of legitimate Magento checkouts to steal cards.

Threat feeds still do not flag shrwaa.com. The attack has likely been active since December 2023, which underscores why teams need behaviour-based detection on the client rather than relying on domain reputation lists.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Book a demo

Start for free

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics

GDPR and Online Gambling: Why Unauthorised Pixels Create a Dual Liability Problem

Unauthorised pixels on gambling sites trigger GDPR liability and ad-account bans at once, even when the operator never installed them. Here's why.

HIPAA Website Tracking Compliance: The Healthcare Guide to Third-Party Scripts

HHS OCR ruled that tracking pixels and third-party scripts on healthcare websites can expose PHI. Here's what covered entities must do to comply.

How to Block Bytespider (TikTok's AI Crawler)

Bytespider crawls your site for Bytedance's AI systems. Learn how to block it with robots.txt and IP ranges, and the key data sovereignty concerns.

Dark blog cover showing three malicious script casino attack methods: redirects fired from inside the browser, shadow GTM containers loading rogue tags, and geo-targeted mobile-only payloads

How Malicious Scripts Hijack Casino Player Journeys

Script-injected redirects divert casino players before they reach the lobby. Network tools miss them entirely. Here's how detection must work.

Dark cside blog cover with a blue pixel wave and checklist about APAC gambling script security

Client-Side Script Security for APAC Online Gambling Operators

How APAC online gambling operators in Japan, Singapore, the Philippines, and Australia can monitor third-party scripts across real player sessions.

How to Block Amazon Buy for Me on Your Website

Amazon Buy for Me shops your site for Prime users. Learn how it collects pricing and product data and how browser-layer detection gives you control.

Account Takeover Prevention: The Complete 2026 Playbook

The 2026 account takeover playbook: an end-to-end model for login, recovery, session, and post-auth defense against AI-agent and bot-driven attacks.

Dark cside blog cover with a blue pixel wave and checklist about compromised affiliate scripts stealing casino revenue

How Compromised Affiliate Scripts Steal Online Casino Revenue

Compromised affiliate scripts redirect players, steal commissions, and manipulate UTM attribution on casino pages, silently and at scale.

Dark blog cover showing three browser extension attack vectors: redirects to phishing clones, session token theft and account takeover, and payment fields rewritten at the DOM

How Browser Extensions Attack Online Casino Players: What Operators Can Do About It

Browser extensions can steal session tokens and hijack payments on casino sites. Here's how they attack, why servers miss it, and how to detect them.

How to Block AI-Powered Fake Account Creation

AI agents create fake accounts with human-like behaviour that defeats CAPTCHA. Learn the browser-layer signals that reveal automated registrations.