Web Attack: Formjacking Website 59 AND js.datadom.co

I need a solution

Today we’ve been flooded with this alert from dozens of clients:

09:08:20,Critical,xxxx,SHA-256: ,MD-5: ,[SID: 31515] Web Attack: Formjacking Website 59 attack blocked. Traffic has been blocked for this application: C:Program Files (x86)Internet Exploreriexplore.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 0.0.0.0,Remote: 000000000000,Inbound,OTHERS,,Begin: 2019-12-05 09:08:22,End: 2019-12-05 09:08:22,Occurrences: 1,Application: C:/Program Files (x86)/Internet Explorer/iexplore.exe,Location: On Network,User: xxxx,Domain: xxxx,Local Port 0,Remote Port 0,CIDS Signature ID: 31515,CIDS Signature string: Web Attack: Formjacking Website 59,CIDS Signature SubID: 0,Intrusion URL: https://js.datadome.co/tags.js,Intrusion Payload URL:

This appears to be a legit company that provides bot protection (https://datadome.co/about-us/) and the NY Times is one of them.  So in each case the user has visited NY time shortly before this alert.  We’ve had traffic to this site for a long time so I’m guessing this is a new signature that isn’t working right but we’re not sure at this point. 

The js is heavily obfuscated but they do have a nice heading:

    pre style = “word-wrap: break-word; white-space: pre-wrap;” > /** DataDome is a cybersecurity solution to detect bot activity https://datadome.co (version 3.19.4) */

    var _0x55aa = [‘x63x33x42x73x61x58x51x3d’, ‘x59x32x46x73x62x46x42x6fx59x57x35x30x62x32x30x3d’, ‘x58x33x42x6fx59x57x35x30x62x32x30x3d’, ‘x59x6ex4ax76x64x33x4ex6cx63x6bx78x68x62x6dx64x31x59x57x64x6c’, ‘x5ax47x52x66x61x77x3dx3d’, ‘x63x47x46x79x63x32x55x3d’, ‘x64x58x4ax73’, (function(_0x5e829e, _0xeab3b6) {

Anyone else seen this or know if it’s a false positive?  One weakness in the symantec threat database is that it doesn’t show the date the signature was created or last updated (https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=31515).  Tenable does this with Snort sigs and it helps troubleshooting.

0

1575561683

Related:

  • No Related Posts

Leave a Reply