A sophisticated cybercriminal operation, known as ScreamedJungle, has been uncovered by cybersecurity researchers. This campaign uses stolen browser fingerprints to bypass fraud detection systems and impersonate legitimate users, posing a significant threat to online security.
Since May 2024, ScreamedJungle has been exploiting vulnerabilities in outdated Magento e-commerce platforms. Attackers inject malicious scripts into these sites, enabling them to collect unique digital identifiers from unsuspecting visitors.
Browser fingerprinting, a technique that gathers detailed information about a user’s browser and device—such as installed fonts, screen resolution, and graphics card data—has become an essential tool for both cybersecurity and cybercriminals alike. Researchers at Group-IB found that by mimicking these fingerprints, the attackers can make automated attacks appear as legitimate user activity, allowing them to bypass protections like multi-factor authentication (MFA) and device reputation checks.
The Mechanics of the ScreamedJungle Campaign
The attack begins with the exploitation of Magento e-commerce sites running outdated software, particularly older versions like Magento 2.3, which have not received security updates since September 2022.
The ScreamedJungle threat actor exploits vulnerabilities such as CVE-2024-34102 (CosmicSting) and CVE-2024-20720 to inject malicious JavaScript code into these compromised websites.
The injected script, hidden within an innocuous comment tag, pulls additional code from the attacker-controlled domain busz[.]io. This script activates only for desktop users and collects over 50 parameters through functions like GetSystemFontData, GetWebGPUData, and GetKeyboardLayout. The data is then sent to hxxps://customfingerprints[.]bablosoft[.]com/save, where it is stored in a private database linked to Bablosoft’s FingerprintSwitcher module.
PerfectCanvas and Automated Attacks
ScreamedJungle uses PerfectCanvas technology to clone browser fingerprints by rendering canvas elements on remote servers. This ensures that the fingerprint replication is pixel-perfect, mimicking legitimate user activity. With the help of Bablosoft’s BrowserAutomationStudio (BAS), the attackers automate credential-stuffing attacks while avoiding detection.
The impact of this campaign is significant. Just nine compromised Italian e-commerce sites exposed over 200,000 user profiles per month. Researchers from Group-IB estimate that ScreamedJungle has harvested millions of fingerprints globally since May 2024.
How to Defend Against These Threats
To protect against such advanced threats, businesses must promptly patch vulnerabilities and monitor their sites for unauthorized script injections. Additionally, device-binding protocols should be implemented to prevent unauthorized access.
Users can protect themselves by adopting privacy-focused browsers like Brave or Tor and using anti-fingerprinting extensions to limit tracking and ensure greater anonymity online.
