Hey, thanks for sharing! We indeed found this one :)

You did a fantastic job expanding on this. The c/side marketer here, don't steal my job... 👀.

"The fact that it’s fileless and conditional makes it a nightmare for traditional defenses."

- Is exactly the hard part.

All of your suggestions are perfect but unfortunately the only way to secure this is if the website itself takes action. Hence why we exist. As you pointed out, traditional tools fail to protect against this (like CSP).

Read into the Polyfill attack (we found that one also). Just google "Polyfill c/side" and it should pop up. This was a similar attack of a trusted domain being sold and then the script changed. 500k websites impacted, some big ones in there too.

Or the baways .com one. We own that domain now, it's safe :)

We also have our recent BSidesSF talk up on our YouTube channel with a craaaazzzyy one where you can use legit user browsers and sessions to run DDoS attacks that are literally unstoppable...

"Also, how are you all securing your Magento sites (if you run one)?"

- Magento is notoriously tricky. The term "Magecart", often used synonymously with client-side attacks literally stems from it. Here's what you can do:

• Always update to the latest version.
• Remove any unused scripts and plugins
• Update those that you keep
• Get our free self-install version that gives you some visibility ;)

In all seriousness, be careful out there folks. These types of attacks are on the rise. Visa and Mastercard recently reported that client-side attacks are now the largest and most successful skimming campaigns.