Web scammers are using the COVID-19 crisis to attack your customers with Magecart and other client-side exploits

During these difficult times, people are increasingly relying on e-commerce. It’s never been more important to defend against Magecart and other client-side attacks, says Tala CEO Aanand Krishnan.

In these difficult times, e-commerce has become a lifeline for both customers and retailers. With-e-commerce sales projected to grow to US$6.54 trillion by 2022, cybercriminals see a bonanza to exploit and are ramping-up their activities to skim credit cards, credentials and PII. 

Right now, less than 1% of website operators are deploying security policies capable of preventing client-side attacks. It has never been more important to take a proactive approach to protecting your website and customers from attacks like Magecart and cross-site scripting (XSS). Where do you start? Let’s take a look at one of the most popular attacks.

Magecart and third-party code exploits

One of the most effective approaches favoured by cybercriminals is magecart, sometimes referred to as formjacking: injecting malicious JavaScript code into a website that allows them to exfiltrate any information entered by the customer: credit card details, banking information, passport numbers, credentials and any personal data. 

Increasingly, attackers are targeting third-party applications and services integrated into websites – such as chat, tags, analytics or e-commerce tools – to launch these attacks. Two million skimmers were identified operating on websites last year alone. 

Monitor, control, protect with comprehensive security standards

What makes this technique so effective is that these attacks can go undetected for months or even years. It all happens on the client-side, in the browser. It doesn’t impede the transaction in any way, so the customer carries on, the retailer receives their payment and no one spots anything. Until they do –  usually when a bank detects an alarming trend of fraud with a common denominator.

The best defense against client-side attacks like these starts with identifying how much third-party code is running on your site. The next layer comes with establishing the norms of behavior for those applications. To detect and block these attacks, your next line of defense comes courtesy of the same group of experts that laid the foundation for all the rich content on today’s modern web: Security Standards, including:

CSP + SRI + HSTS + Referrer Policy + Feature-policy + Trusted Types +Clear-Site-Data = A comprehensive web security strategy built on the expertise of the web’s leading innovators and developers.  This standards-based security framework operates in a state of continuous innovation and enhancement as standards evolve.

Implementing these standards ensures that form data is sent only to the intended source – and that malicious scripts are prevented  from sending data to the attacker’s server. For example, if you want to protect login data (username/password), banking data or credit card information, and that data should only be sent to “example.com” and the attacker’s code is trying to exfiltrate the data to “magecartexample.com”, a properly configured CSP would block the exfiltration request to the bad server and send real-time attack notification. For additional security, SRI (subresource integrity) would allow you to stop malicious code from executing altogether. 

It doesn’t have to be difficult

Tala’s technologies automate the deployment and tuning of these high-quality, standards-based security capabilities, including fine-grained CSP and SRI. You get all the website protection you and your customers need against Magecart and other client-side attacks without having to worry about performance impacts, resources, time-constraints or keeping up with any changes. Above all, your website will continue to perform as normal – these are security standards designed by web experts for web experts, they were developed to support the rich web experience that everyone expects today. 

Securing websites against this accelerating attack should be an imperative for every website owner. Get your FREE website analysis today and see how easy it can be to secure your site against every type of client-side attack. Learn more about how Tala prevents Magecart here


*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Aanand Krishnan, CEO and Founder of Tala Security. Read the original post at: https://blog.talasecurity.io/web-scammers-are-using-the-covid-19-crisis-to-attack-your-customers-with-magecart-and-other-client-side-exploits