Server-side is an attack on the merchants. There’s an element of control over these factors, in terms of how you try and secure your browser. You can ward off threats such as these by using browser plugins like NoScript. It could be bogus JavaScript loading in from untrusted domains, or perhaps some other form of rogue code. These are the places where operations such as Magecart may lurk. Client-side versus server-side attacksĬlient-side is where the people who buy things from websites hang out. There are even impersonators out there, just to make things even more confusing. It’s possible they use services like bulletproof hosting to frustrate researchers and law enforcement. They may go after small businesses running a particular e-commerce platform. These attacks rely on outdated CMSes, or plugin zero days. It’s the collective used for multiple groups who partake in web skimming. It achieves this thanks to the Linux Cron Job system, which we’ll come back to a little later.įirst of all, here’s a brief rundown on what Magecart is, and the difference between client-side and server-side attacks. By the time you get onto the website, everything may be fine at your end but the stream further up river has already been polluted. This method means it bypasses the protection people using the websites arm themselves with, rigging the game from the start. It’s your classic Magecart attack with a stealthy twist. Rather, it looks to swipe payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. The file, named CronRAT, isn’t an e-commerce attack compromising payment terminals in physical stores. There’s an interesting find over at the Sansec blog, wrapping time and date manipulation up with a very smart RAT attack.