How a Compromised Martech Vendor Stole Credit Card Data from Nearly 60 Websites

• Vault JS identified malicious JavaScript on nearly 60 websites running Showcase-TV marketing tools that was actively scraping credit card data from checkout pages. The code attached to order confirmation button clicks, captured card numbers, expiration dates, and security codes, then posted the data to an external endpoint.
• The attack exploited a trusted third-party vendor relationship, not a vulnerability in the host sites themselves. The malicious code was delivered through JavaScript hosted at navicast.jp, a legitimate marketing technology domain, making it invisible to standard security tools that whitelist known vendor scripts.
• The malicious code was obfuscated to avoid detection and ran for at least two days before being identified. Vault JS believes the vulnerability existed on at least July 25 and 26, 2022. The code has since been removed, but organizations using third-party marketing tags should audit their sites for similar injection patterns.

UPDATE: Vault JS believes that the malicious code has been removed. It appears the vulnerability existed at least on July 25 and July 26th (in Pacific time zone).

Since July 25, 2022 Vault JS experts have identified suspicious code on nearly 60 different websites that are running web marketing tools from Showcase-TV. These sites are currently not being supported by Vault JS and may be leaking customer data right now. If you are using Showcase-TV, you should consider removing this code temporarily until this is resolved.

The issue comes from JavaScript hosted @navicast.jp. The request to r2.sb/api returns JavaScript code that behaves suspiciously, performing the following actions:

1. The code attaches to an order confirmation button click event
2. When the button is clicked, the code scrapes credit card information from the page
3. The code then posts that information to an endpoint at r2.sb/log_api/log

The code is obfuscated to make it more difficult to uncover this activity. Below, we’ve deobfuscated the portion of the code which concerns our team. As you see, the code gathers the credit card number, expiration date month and year, and security code. It then logs this data. This example is from the payments page of the e-commerce website www.chojyu.com. In addition, our team believes the sites www.ekenkoshop.jp, fig-viper.jp, and scores of other sites have also been compromised.

Please follow our LinkedIn page for ongoing updates. In addition, you can request a free analysis of your own site to uncover any suspicious code or data leaks that might be happening right now through your third party tags.