October 16, 2020
Threat actors target information, including usernames, passwords, payment details, credit card details, billing address, name, email, phone number, and other types of personal, health, and commercial information.
Any organization in financial services, banking, e-commerce, healthcare, government, technology, and SaaS industry that offers services on its website that does not have effective client-side security controls in place is potentially vulnerable. More than 19,000 web skimming breaches, including high-profile international organizations, were identified in 2019.
These client-side attacks compromise target websites often via a third-party’s software libraries that organizations rely upon. Threat actors use methods to inject malicious code onto the client-side code base, which is executed within the browser session that then redirects or copies or otherwise sends exfiltrated information off from that client device to a malicious infrastructure under the attacker’s control.
Examples of third-party applications targeted by attackers include live chatbots, customer service functions, advertising scripts, marketing forms, marketing tags, opensource libraries, and various other elements loaded by the client’s browser.
Web-based data skimming is continually evolving and persistent threat (PT). According to Willem de Groot’s security research report, one in five Magecart’s victims are re-infected within days.
A critical part of client-side inventory discovery and management is to determine what scripts have access to sensitive data that are not being used, often referred to as ‘zombie scripts.’ Always know what data is going through the client-side of the website, what sensitive data is collected, what application elements and third-party elements have access to the data, or are touching your data (i.e., scripts and libraries):
Reviewing code and security control configuration to identify potential vulnerabilities and misconfigurations
Performing security and vulnerability assessment of all scripts and code elements that the website loads into the browser
Use of vulnerability security assessment tools to test web applications for vulnerabilities
Use security control-integrity, file-integrity monitoring, and change-detection automation systems.
Implement client-side intrusion-detection to detect run-time browser-level intrusions
Combining defense-in-depth and the zero-trust model is the best defense strategy against intelligent web skimming attacks, including Pipka. A multi-layered defense against web skimming attacks, you will be able to prevent or significantly minimize the client-side threats.
Hardened and tamper-proof the client-side of your web applications.
Continuously analyze all scripts from the client-side for presence activities that you didn't authorize.
Implement vulnerability and malware monitoring for the client-side of the web application.
Implement client-side intrusion-prevention to prevent run-time browser-level intrusions in real-time