Imagine itâs Decemberâthe biggest sales time of the year. Your e-commerce site is up and running, complete with a robust and diverse inventory for buyers. A few days into the shopping season, you notice an unusually high number of cart abandonments and quite a few customers leaving after viewing a couple of different web pages.
You check the web pages. They look fineâin fact, better than fine. (You spent a little extra this year improving the graphic design.)
Everyone is stumped. Nothing seems to account for the decreased customer engagement and the declining number of purchases.
Youâve been hijacked
Unbeknownst to you and your creative team, your business site has been hijacked by unauthorized ad injections promoting a discount if the customer clicks on the pop-up box that appears. When clicked, the customer is redirected to a different site. This type of client-side threat is referred to as customer journey hijacking. By taking advantage of vulnerabilities and bugs that exist in the businessâs web application programming, malicious threat actors have been able to insert ads that redirect customers to alternative e-commerce sources. And because these ad injections are happening on the client-side, theyâre only visible on the customerâs device, and not the businessâs server.
A recent study of âcustomer journey hijackingâ found that as many as 20% of all online shopping sessions are exposed to unauthorized and invasive advertising injections. While lost revenue is clearly a negative consequence of hijacking, a businessâs reputation can also be affected due to annoying pop-ups and slowed page loading times.
The problem is client-side compromises
Client-side threats are achieved by injecting malicious scripts into the code used to annotate or format a webpage. Because client-side activity happens when a customer is surfing the e-commerce site, it is happening outside of a businessâs security perimeter. Typical security technologies wonât protect the customer (or the business) from malicious activity that is occurring on dynamic web pages accessed from the customerâs own device. Essentially, your customer has downloaded malicious codeâin the form of pop-up adsâfrom your server, which is then interpreted and rendered by the customerâs browser on the customerâs device.
The types of vulnerabilities that make ad injections and customer journey hijacking easy include:
- Vulnerable website tools, like JavaScript.
- Lack of attention to web application vulnerabilities.
- Multiple, layered (but likely vulnerable) web applications designed to add website functionality.
- Increasing number of third- and fourth-party sources creating and distributing vulnerable applications.
- Misconfigurations and malicious code in open-source tools.
Fight customer journey hijacking with the right security solutions
Not all cybersecurity solutions are created equal. Some are designed to do very specific things, and most traditional solutionsâlike web application firewalls (WAFs), policy controls, and threat intelligenceâwhile effective at protecting the server side are not going to protect against malicious attacks targeting the client side.
Implementing client-side security is vital to protect and defend your customer data and your business. To protect against the types of vulnerabilities that contribute to customer journey hijacking and other threats like formjacking, cross-site scripting (XSS), and Magecart attacks, businesses need to consider solutions that have no impact on website functionality but still offer the right type and level of security.
Feroot Security specializes in tools that help protect from client-side attacks. If you would like to ensure your website is using the latest security tools, check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers. And if you would like to see our products in action, please request a demo here: link.
