A sophisticated cybercriminal campaign, identified as ScreamedJungle, has been uncovered, exploiting stolen browser fingerprints to bypass fraud detection systems and impersonate legitimate users. The threat actor behind this campaign has been targeting outdated Magento e-commerce platforms, particularly versions that have not received security updates since September 2022, such as Magento 2.3. Exploiting vulnerabilities like CVE-2024-34102 (CosmicSting) and CVE-2024-20720, the attackers inject malicious JavaScript scripts into compromised websites. These scripts collect unique digital identifiers, including data points such as screen resolution, graphics card details, and installed fonts, allowing cybercriminals to gather comprehensive browser fingerprints from unsuspecting visitors.
Browser fingerprinting has become a powerful technique used by both legitimate security systems and cybercriminals. This method collects hundreds of browser and device characteristics, and it is increasingly being exploited by attackers to bypass traditional fraud detection mechanisms. Cybersecurity researchers from Group-IB have discovered that ScreamedJungle uses browser fingerprinting to disguise automated attacks as legitimate user activity, allowing the attackers to bypass multi-factor authentication (MFA) and device reputation checks. The campaign has been particularly effective in impersonating real users, evading security systems meant to detect and prevent automated fraud.
The malicious JavaScript payload injected into compromised Magento sites activates specifically for desktop users. It collects over 50 parameters from victims’ browsers and sends this data to a domain controlled by the attackers. Once the information is gathered, it is stored in a private database tied to the Bablosoft FingerprintSwitcher module. Using PerfectCanvas technology, ScreamedJungle clones legitimate browser fingerprints, ensuring pixel-perfect replication of user data. By combining this fingerprinting technology with BrowserAutomationStudio (BAS), the attackers can automate credential-stuffing attacks while remaining undetected by fraud detection systems.
The impact of this campaign is widespread, with over 200,000 users exposed on just nine compromised Italian e-commerce sites. Since May 2024, it is estimated that millions of fingerprints have been harvested globally. Businesses are urged to patch their systems promptly, monitor for unauthorized script injections, and implement device-binding protocols to defend against these types of attacks. Users are also encouraged to adopt privacy-focused browsers, such as Brave or Tor, and use anti-fingerprint extensions to limit the effectiveness of tracking and mitigate the risk posed by these advanced cybercriminal tactics.
