{
	"id": "9910c241-ce97-408f-a9ae-2d951b1f90df",
	"created_at": "2026-04-06T00:09:32.847026Z",
	"updated_at": "2026-04-10T13:12:45.566092Z",
	"deleted_at": null,
	"sha1_hash": "e2800dd0f3d20da804613174e5e5b4b9234b0bc7",
	"title": "Introducing Script Watch: Detect Magecart style attacks, fast!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 494651,
	"plain_text": "Introducing Script Watch: Detect Magecart style attacks, fast!\r\nBy Scott Helme\r\nPublished: 2021-06-14 · Archived: 2026-04-05 19:22:51 UTC\r\nI'm really excited to be announcing something that we've been working towards for a long time at Report URI,\r\nScript Watch! Continuing our goal of making browser security features like CSP easier to use and empowering\r\napplication owners to neutralise serious risks, Script Watch represents a significant step forwards!\r\nMagecart\r\nFor almost 6 years now, a collective known as Magecart have been wreaking havoc on ecommerce sites with their\r\nattacks. By finding a way to inject hostile JavaScript into an application, a Magecart attack would skim credit card\r\ndata being entered into payment pages and then siphon that off to a server controlled by the attackers using one of\r\nmany exfiltration vectors. Because the data was being entered onto a payment page, the attackers would get\r\neverything including names, addresses, full card numbers, expiry dates and even security codes.\r\nMany large organisations have fallen victim to these kinds of attacks including names like British Airways and\r\nTicketmaster, organisations of significant size. The attacks all begin when the attacker finds any way to get their\r\nhostile JS into the page and often there are no visible clues on the page that data is being stolen.\r\nI've long spoken about Content Security Policy and the power it offers in mitigating attacks like these. CSP allows\r\nyou to define an allowed list of locations that your resources load from, with JS being of particular interest here. If\r\nyou control all of the locations that JS is allowed to load from, then the attackers can't get their hostile JS to load\r\non your site.\r\nWriting a good CSP is hard, though, and at Report URI we've been constantly looking for ways to make CSP\r\neasier to setup and ways to extract useful information from reporting with less effort. The CSP Wizard that we\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 1 of 7\n\nintroduced 3 years ago is still one of the easiest ways to generate a CSP that I've come across and now with the\r\nannouncement of Script Watch, we're hoping you can start getting useful information from your CSP reports even\r\nsooner.\r\nScript Watch\r\nWhen you deploy a CSP on your site, the browser will only load JS from locations that you specifically allow.\r\nThis means that JS loading from locations you do not allow will be blocked and a report will be sent. The core\r\nvalue proposition of Report URI is to collect these reports for you, filter and aggregate them and then present the\r\ninformation to you in useful dashboards. There is still a step in the process here though where you need to monitor\r\nwhat's happening on your site, and that's one of the main things that Script Watch is starting to change.\r\nWhen we collect your reports we can see what JS you expect to load on your site, which is the JS allowed in your\r\nCSP, and the JS which you do not expect to be on your site, which is what triggers a report to be sent. This means\r\nthat we can see all JS being loaded on your site and this is the first piece of information that Script Watch can\r\nmake available, an entire audit of all JS present on your site!\r\nThat is the information that Script Watch gathered about my site in just a few minutes, with basically no effort to\r\ndeploy. Whilst you can go to our site and view all of your JS dependencies, which is great, it'd be even better if\r\nyou didn't have to go to our site to do that.\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 2 of 7\n\nWhen we detect a new script being reported on your site you will now receive an email notification informing you\r\nof what we found! As you can see here, because I've just turned on Script Watch, quite a few JS dependencies\r\nwere found all at the same time, but on an ongoing basis you will likely only find one or two new dependencies\r\nbeing reported to you at a time.\r\nWhat's even better is that Script Watch monitors individual JS files, so even if someone does something as simple\r\nas bump the version of a library you use, Script Watch can detect that and report a new dependency to you!\r\nPast Examples\r\nYou don't have to look too far to see exactly the kind of scenario we need to be worried about happening and over\r\nthe years there have been many examples of how Magecart have injected their hostile JS into target sites. There\r\nwas a particular period of time where a large number of Magento ecommerce sites were being targeted and here\r\nare a few samples of the script tags that were being injected into those sites.\r\n\u003cscript src=\"https://jquery-cdn.top/mage.js\"\u003e\u003c/script\u003e\r\n\u003cscript src=\"https://angular.cub/js/everlast.js\"\u003e\u003c/script\u003e\r\n\u003cscript src=\"https://sj-syst.link/sj-syst/ocart.js\"\u003e\u003c/script\u003e\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 3 of 7\n\nOnce these script tags are on the page the keylogger is loaded and begins stealing credit card data typed into the\r\npage and sending it to a drop server controlled by the attackers. Even a keen eye in the developer tools might skim\r\nover such a script with what seems to be a fairly normal looking name, but if you received a notification to say\r\nthis is a brand new dependency on your site, you might look at it a bit more carefully!\r\nAvailability\r\nWe've been testing Script Watch internally for some time now, refining and improving things as we go, and we've\r\nalso had select customers test Script Watch in our Beta Program. As a result, Script Watch is now generally\r\navailable for all customers subscribed on a mid-tier plan or higher, including all of our Enterprise customers who\r\nautomatically get access to all new features.\r\nScript Watch does not increase the cost of your plan and it will also not consume any additional quota. For\r\ncustomers on a plan that includes Script Watch, it is completely free to use! Once you enable Script Watch on one\r\nof your sites, the tool will ingest and work with a copy of your existing, incoming reports, meaning no additional\r\nusage is required and no additional costs are incurred.\r\nGetting Started\r\nIf you want more detailed information then you should check our docs page for Script Watch but I will give you\r\nthe basic idea here too. Under the CSP menu in your account, there is now a Script Watch menu item:\r\nHere you can see any sites that Script Watch is currently monitoring for you, or add new sites to be monitored. It's\r\nworth noting that Script Watch monitors 'sites' based on the FQDN so www.report-uri.com and blog.report-uri.com would be monitored separately to each other. Check the docs page or click the little 'i' information icons\r\non the page for more details. If I click Inspect for a particular site I can view all of the reported JS dependencies\r\nfor that site!\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 4 of 7\n\nYou will also receive an email notification as we detect new dependencies and these will be grouped if we detect\r\nseveral new dependencies at the same time.\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 5 of 7\n\nOther than the Inspect button you also have Reset, which will clear all currently documented dependencies and\r\nstart building a new list (great if you've made changes to your site and want to start a fresh list) or the Delete\r\noption to delete all data for that site and stop monitoring for changes.\r\nCSP and Script Watch are not a silver bullet\r\nIf we're going to get serious about attacks like Magecart and others with a hope of stopping them, we also need to\r\nunderstand that even with a good CSP and Script Watch enabled, there are still ways that attackers can succeed.\r\nSite operators should also consider another technology called Subresource Integrity, or SRI, to secure their assets.\r\nI've spoken about SRI in the context of Magecart before, Magecart are coming for you, are you ready?, and\r\nProtect your site from Cryptojacking with CSP + SRI, which is a slightly different attack but conducted in exactly\r\nthe same way. Fortunately, it's quite easy to deploy SRI in almost all circumstances, we have a tool to help you,\r\nand the combination of CSP and SRI together is a very powerful protection against hostile script. By setting up\r\nScript Watch you can potentially neutralise attacks like these before they even happen, but you will always get\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 6 of 7\n\nrapid alerting that an attack is just beginning which could be invaluable in stopping it before too much damage\r\ntakes place.\r\nMore to come\r\nIt's taken us a little while to get to a point where we can launch Script Watch, but that's because we've been\r\nbuilding up the technology behind it which can now be used in other scenarios much more easily. We have other\r\nfeatures coming in the near future that will leverage the same near-real-time monitoring and alerting for other\r\nthings that you will definitely be interested in learning about on your site, so stay tuned for those. Just think,\r\ngetting script into your page is only one step in a Magecart style attack, and there's a second, arguably more\r\nimportant, step that follows...\r\nFor now, though, please give Script Watch a try, send me some feedback and feel free to use this discount code to\r\nget you started! This will give new customers, and existing customers who need to upgrade their plan, a 50%\r\ndiscount on their first month so you can try out Script Watch to see if it's for you: SCRIPTWATCH\r\nHave you enjoyed this post or found it helpful?\r\n☕️ Consider buying me a coffee to say thanks!\r\n🔔 Subscribe for free notifications when I publish!\r\n🤩 Become a member and support my content!\r\nTags: Report URI, Script Watch, magecart\r\nSource: https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nhttps://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it\u0026utm_medium=twitter"
	],
	"report_names": [
		"?utm_source=dlvr.it\u0026utm_medium=twitter"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2800dd0f3d20da804613174e5e5b4b9234b0bc7.pdf",
		"text": "https://archive.orkl.eu/e2800dd0f3d20da804613174e5e5b4b9234b0bc7.txt",
		"img": "https://archive.orkl.eu/e2800dd0f3d20da804613174e5e5b4b9234b0bc7.jpg"
	}
}