Merry Maker is a fully scalable tool to detect the presence of digital skimmers.
Merry Maker is a solution designed to detect the presence of digital skimmers, built by two Target security developers, @cawalch and @ebrandel.
Fundamentally, Merry Maker operationalizes three key processes:
- Preserving a baseline of existing pages by saving the code being served by a website along with the network traffic generated by test transactions
- Scanning the saved code for any malicious indicators
- Scanning the saved network traffic for any potential compromise
Merry Maker continually simulates online browsing and completes test transactions to scan for the presence of malicious code. It acts like a guest on Target.com by completing several typical activities, including online purchases. While doing so, the tool gathers and analyzes a variety of information, including network requests, JavaScript files, and browser activity to look for any type of unwanted activity. Merry Maker was built to execute on all of this at scale.
Merry Maker's purchases are flagged as test orders internally so that they don't get processed, but otherwise, everything happens behind the scenes just as it normally would during check out. If any possible malicious activity is detected, Merry Maker triggers an alert to Target's 24/7 Cybersecurity Incident Response Team to prompt an investigation.
Since its launch in 2018, Merry Maker has completed over one million website scans and we've filed multiple patent applications. The technology helps keep the holiday shopping season safe and merry here at Target (hence the name).
We have open sourced the Merry Maker framework along with several detection rules in the hopes that this information helps other cybersecurity teams stand up their own customized defense.
- Puppeteer scripts to simulate user interactions
- Yara rules for static analysis
- Hooks native JavaScript function calls for detection and attribution
- Near real-time browser event detection and alerting
- Distributed event scanning (rule engine)
- Role based UI with local and OAuth2 authentication options
- mmk-js-scope Enumerates javascript requests and hooks native function calls with Headless Chrome for use by Merry Maker
- mmk-types Shared typings between services - only needed for developers
# Start all the services
docker compose -f docker-compose.all.yml up
Navigate to http://localhost:8080 to begin.
- docker
- node v14.18.1
Includes postgres, redis and a testRedis instance
# from ./
docker compose up -d
API service for the frontend and scanner
DB Migration
# from ./backend
yarn migrate
# from ./backend
yarn install
yarn start
Testing
yarn test
Uses nodemon to auto reload on change. Listens on two separate HTTP ports (UI and transport)
Vue dev server for developing the frontend. Run backend prior to starting this service
# from ./frontend
yarn install
yarn serve
Main scheduler for running scans, purging old data, and misc cron jobs
# from ./backend
yarn jobs
Rules runner for processing browser events emitted by jsscope
# from ./scanner
yarn install
yarn start
Testing
yarn test
export MMK_AUTH_STRATEGY=oauth
export MMK_OAUTH_AUTH_URL=http://oauth-server/auth/oauth/v2/authorize
export MMK_OAUTH_TOKEN_URL=https://oauth-server/auth/oauth/v2/token
export MMK_OAUTH_CLIENT_ID=client_id
export MMK_OAUTH_SECRET=<oauth-secret>
export MMK_OAUTH_REDIRECT_URL=http://localhost:8080/api/auth/login
export MMK_OAUTH_SCOPE=openid profile email
Copyright (c) 2021 Target Brands, Inc.