{
	"id": "bd232031-d6e4-4be3-82b9-0311f232f1fc",
	"created_at": "2026-04-06T00:17:52.019361Z",
	"updated_at": "2026-04-10T03:30:11.981979Z",
	"deleted_at": null,
	"sha1_hash": "59aec8b1c8dc02c0aac2742bc250ae91a13c4ded",
	"title": "Attack Exploiting XSS Vulnerability in E-commerce Websites - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3559571,
	"plain_text": "Attack Exploiting XSS Vulnerability in E-commerce Websites -\r\nJPCERT/CC Eyes\r\nBy 増渕 維摩(Yuma Masubuchi)\r\nPublished: 2021-07-11 · Archived: 2026-04-05 14:56:27 UTC\r\nOn 28 April 2021, Trend Micro reported the details of attacks exploiting cross-site scripting (hereafter “XSS”)\r\nvulnerability on e-commerce websites [1]. JPCERT/CC has also confirmed similar cases, which originate in XSS\r\nvulnerability in websites developed with EC-CUBE products (an open source CMS for e-commerce websites).\r\nThis attack does not target vulnerabilities which is specific to EC-CUBE products but affects any e-commerce\r\nwebsites which have XSS vulnerability on its administrator page. This attack campaign is still ongoing as of July\r\n1, 2021. This article details the cases that JPCERT/CC has handled.\r\nAttack Overview\r\nThe flow of the attack is described in Figure 1.\r\nFigure 1： Attack overview\r\nFiles embedded in e-commerce sites in the course of this attack are listed in Table 1.\r\nTable 1: List of embedded files\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 1 of 9\n\nEmbedded files Contents\r\nWebShell ・Multi-function WebShell (based in Chinese. Tool name unknown)\r\nDatabase control tool ・Adminer version 4.2.4\r\nInformation stealing\r\nJavaScript\r\n・Send credit card information etc. when clicked\r\n・Loaded on login/transaction page\r\nInformation storing\r\nJavaScript\r\n・Save information stolen by the above JavaScript\r\n・Save the data “information storage file”\r\nInformation storage file\r\n・Store credit card number, expiry date, security code, email address,\r\npassword etc.\r\nSimple WebShell ・Execute PHP file uploaded\r\nAttackers perform purchase process by typing malicious script into an order form on a target e-commerce website\r\n(1. in Figure 1). If the process is vulnerable to XSS attack, the malicious script is executed on the administrator’s\r\npage, which results in credential theft and Simple WebShell setup on the website (2 and 4). After that, attackers\r\nimplement WebShell and JavaScript on the website to steal and save user information (5).It is assumed that the\r\nattackers access the stolen information by regularly checking the WebShell (6).\r\nIn the course of action, attackers embed Adminer [2] on the e-commerce website. This is a common tool to check\r\ndatabase contents on a GUI environment, which is compatible with various types of database such as MySQL,\r\nPostgreSQL, SQLite, MS SQL, Oracle, SimpleDB, Elasticsearch, MongoDB. Attackers are likely to have stolen\r\ndatabase information by using this tool.\r\nMalicious purchase action exploiting XSS vulnerability\r\nAn XSS attack is performed as a part of purchase process with the following malicious script. Attackers send this\r\nscript into multiple forms in order to increase the chance of success.\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 2 of 9\n\nFigure 2： Malicious script sent into multiple forms\r\nIf this XSS attack succeeds, the following JavaScript code (Figure 3) is executed on the administrator’s PC. This\r\ncode collects username and password and sends them to attackers’ servers.\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 3 of 9\n\nFigure 3: Information stealing JavaScript code\r\nStealing credit card information\r\nFigure 4 describes the flow of attack stealing credit card information of the site visitor.\r\nFigure 4: Flow of attack\r\nThe embedded “information stealing JavaScript” hooks a user’s mouse clicks on the website during their login and\r\ntransaction, which as a result steals credit card information. The stolen information is sent to “information storing\r\nJavaScript” located on the same server, and then stored in the following relative path:\r\n../../../ProductOption/img/env.jpg\r\nIt is assumed that attackers retrieved the credit card information stored in the “information storage file” via\r\nWebShell.\r\nDetails of the “information stealing JavaScript” is shown in Figure 5.\r\nFigure 5: Information stealing JavaScript code\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 4 of 9\n\nAttackers check the URL and hooks the user’s mouse clicks to steal the information provided in each component.\r\nIn the collected data, the path name related to credit card transaction services of the e-commerce company is hard-coded. This indicates that the attackers customise code depending on the target e-commerce company.\r\nFigure 6: JavaScript code sending credit card information\r\nThis JavaScript combines each component of the stolen information and sends it to “information storing\r\nJavaScript”. Email information is temporarily stored in the Cookie of the user’s browser, which is retrieved when\r\nsending the data. The data to send is specified as follows:\r\nFigure 7: Format of data sent\r\nWebShell that was likely used to steal information\r\nThe control page of the WebShell is displayed in Figure 8. It comes with various functions such as file\r\ndownload/upload and shell command execution. This WebShell is written in Chinese language.\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 5 of 9\n\nFigure 8: WebShell control page\r\nIn closing\r\nWe have introduced the attack details stealing credentials from administrator’s page. Even if an e-commerce site\r\nitself has no security issues, this attack can be carried out if a plugin is vulnerable. Therefore, it is recommended\r\nto check for updates for plugins as well. Please refer to JPCERT/CC’s security alerts [3], [4] and an advisory [5]\r\nregarding the vulnerabilities exploited.\r\nFor your information, IP address, domain names and file hash values identified in the attack are listed in Appendix\r\nA and B.\r\n- Yuma Masubuchi, Shusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] Water Pamola Attacked Online Shops Via Malicious Orders\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\n[2] Adminer\r\nhttps://www.adminer.org/en/\r\n[3] Alert Regarding Cross Site Scripting Vulnerability (CVE-2021-20717) in EC-CUBE\r\nhttps://www.jpcert.or.jp/english/at/2021/at210022.html\r\n[4] Alert Regarding Cross Site Scripting Vulnerabilities in Multiple EC-CUBE 3.0 Series Plugins\r\nhttps://www.jpcert.or.jp/english/at/2021/at210028.html\r\n[5] Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE\r\nhttps://jvn.jp/en/jp/JVN57524494/index.html\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 6 of 9\n\nAppendix A: Attackers’ IP address and domains\r\n98.126.218[.]141\r\nhttp[:]//77i[.]co\r\nhttp[:]//xf6[.]site/A\r\nhttp[:]//js4[.]io\r\nAppendix B: SHA256 hash values of files used in the attack\r\nNote: These hash values include tools which may also be used in daily operation. Beware of false detection when\r\nusing this as an indicator of compromise.\r\nDatabase control tool\r\n1e1813745f670c469a1c368c45d159ec55656f0a31ed966065a9ca6edd27acc1\r\nJavaScript to steal ID and password (executed in an XSS attack)\r\na1876a6af7e17246633e229c4366c0eb9e4b899a0e884253660c8ace5ed9b366\r\n増渕 維摩(Yuma Masubuchi)\r\nYuma has been engaged in malware analysis in JPCERT/CC Cyber Security Coordination Group since 2020.\r\nRelated articles\r\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 7 of 9\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 8 of 9\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nhttps://blogs.jpcert.or.jp/en/2021/07/water_pamola.html\r\nPage 9 of 9\n\n https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html  \nUpdate on Attacks by Threat Group APT-C-60 \nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\n  Page 8 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html"
	],
	"report_names": [
		"water_pamola.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434672,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59aec8b1c8dc02c0aac2742bc250ae91a13c4ded.pdf",
		"text": "https://archive.orkl.eu/59aec8b1c8dc02c0aac2742bc250ae91a13c4ded.txt",
		"img": "https://archive.orkl.eu/59aec8b1c8dc02c0aac2742bc250ae91a13c4ded.jpg"
	}
}