Websites used to be built—coded by a team of developers line by line. Now, they are assembled. Developers of varying capabilities build websites composed of chunks of pre-written code with varying functionality. Themes, scripts, templates, applets, plugins, and huge blocks of code from disparate sources are commonly pulled together to make a website. In fact, modern web applications load an average of over 20 third- and fourth-party scripts as part of the user experience. While these third-party code snippets and applications quickly add functionality to improve the user experience, they are also fertile ground for vulnerable code that can be easily manipulated by threat actors.
Third- and fourth-party code is often accessed from open-source repositories like GitHub. And herein lies the issue. When you bring in somebody else’s code, you not only incorporate the code’s logic, but you also incorporate everything else the developer has embedded—including vulnerabilities and coding errors. When building a website using third-party code, you are trusting the developer to have considered application security during development. Unfortunately, for many developers, security is an afterthought. So, businesses risk inadvertently introducing vulnerabilities, code weaknesses, and, worse, malware into their web app or site. Sadly, Magecart and e-skimming are often the result of these issues.
Hackers working around the world are constantly on the lookout for website and web application vulnerabilities. Spear phishing, brute force attacks, ransomware, and other cyberthreats dominate the headlines. However, while the server side gets the media’s attention, and the CISO’s budget, it’s often the client side that hides the land mines. There are approximately 20,000 client-side breaches a year. Now that the European Union has released its General Data Protection Regulation (GDPR) and U.S. government entities are fining businesses for breaches, securing the client-side is paramount and requires immediate attention.
Customers interact with your business through your sites and web apps. This is where they learn about you and pay for goods and services. But security isn’t limited to just public-facing websites. Companies use a wide range of internal web apps. HR, purchasing, and marketing all deploy solutions to align and drive company goals, which are invariably to increase efficiency and generate revenue. Meanwhile, the front end often remains untested, unmonitored, and vulnerable.
Plus, there are internal dynamics. A classic example is balancing corporate sales goals and corporate security, often best observed in the interactions between the marketing and IT departments. Marketing wants to get stuff out and IT wants to keep stuff out. An improved user experience necessitates a constant demand for increased functionality—better tools, more speed, and increased bandwidth. Unfortunately, it can take months to submit a proof of concept, go through IT vetting, get budget approval, pass the compliance board, test, and go to production. When corporate sales and revenue goals are on the line, this can be a non-starter. And that’s a recipe for covert operations. Marketing may get its functionality but at the risk of security.
What’s hiding in plain sight?
The best cat burglar is silent and invisible. The same is true with threat actors that compromise a website or web application. Malicious code can lie undetected right under the users’ fingertips. Meanwhile, it captures their data from form fills, chatbots, and financial transaction pages. The most common path is scraping via keystroke capture. Scripts log, mirror, and save user information as they enter it online. Cross-site scripting and request forgeries are popular threat actor attack tactics.
Who are the bad guys?
Scores of highly trained cybersecurity professionals devote their lives to detecting and responding to cyberattacks. On the other side, similarly brilliant minds spend their waking hours devising cyberattack strategies, tactics, and malware that are as sophisticated as they are sinister.
There are large-scale hacking groups made up of dozens of hackers and even larger state-sponsored agencies, such as the well-documented activities by the Russian government. While some Eastern Bloc states may lead the pack, they are not the only hotspot: North Korea and China are also big players in nation-state sponsored cyberattacks. And other countries in Asia and South America, as well as Europe and the United States, all house active threat actor communities.
How do I protect my users from Magecart and e-skimming?
If you are a managed security service provider (MSSP), app developer, or responsible for your company’s online presence, it’s up to you to prevent web asset infiltration and data exfiltration. This requires a complete understanding of your inventory. It also requires access to the tools to identify and eradicate malicious code now and in the future and continued vigilance to protect your business and your customers.
The proper defense technique is built on three pillars:
- Detect & Identify: Know your web assets and the data they hold and perform deep-dive scans frequently to reveal intrusions, behavioral anomalies and unknown threats, as well as uncover weaknesses in your client-side security posture. This stage includes communicating the threat landscape and client-side attack surface to internal stakeholders for remediation.
- Prioritize & Respond: With a complete view of the client-side attack surface across all the digital properties, you can find and take corrective action against Magecart and e-skimming and other client-side cyberattacks.
The goal is to deliver customer experiences without risk or compromise. The dangers that come through the front end are significant, as are the historic challenges to defeat them: complexity, a lack of visibility, and an inability to uncover, remediate, and prevent client-side security threats. But with knowledge of what is needed, it can be done and not just said.