Online fraud at an all-time high amidst the global pandemic

Client-side attacks have become significantly more prominent in recent years, gaining popularity since 2015. As online activity rises due to the global pandemic, 2020 has been no exception, with the most susceptible target, e-commerce, becoming more lucrative than ever.

The Client-Side Problem Explained

When interacting with a web application, numerous actions take place in the background. These can generally be divided into two categories, differentiated by where they take place. First is the client-side (i.e actions taking place on the end-user’s device) and the second is the server-side (i.e actions taking place on the web server). In recent years, attackers have found it easier to carry out attacks on the client-side, as these are more difficult for organizations to detect and handle (more on that later).

Cloud Native Now

How does the client-side get compromised in the first place? There are multiple scenarios in which this could happen, such as cross-site scripting, a compromised package, or a compromised S3 bucket, to name just a few.

Once the client-side is compromised, it opens up a slew of malicious opportunities for hackers. Take Magecart, for example, a notorious collective that focuses mainly on credit card skimming online. The term is also commonly used to refer to their attacks, encompassing various client-side threats all with the same goal: skimming data either through a first-party JavaScript, or through a third-party (aka the supply chain). These attacks work by injecting a JavaScript into first-party code or into the code of third-party services used on legitimate websites. And because JavaScript executes on the client-side, it enables the attacker to collect sensitive personal information directly from the client every time a customer enters their information into a site.

Where There is Personal Information – There is Gain

E-commerce websites, together with airlines and ticketing platforms, have been a top-priority target for these attacks in recent years. These sites usually rely on various third-party services in order to enrich the customer experience. According to The State of Security Within e-Commerce report, online retailers use an average of 31 JavaScript resources per site. Services like Live-Chat for customer service, an e-commerce platform, a payment gateway, to name a few. Furthermore, e-commerce sites are heavily form-reliant, usually requiring a login, as well as a checkout form. This makes them the perfect victim for formjacking attacks.

The Effects of the Pandemic on Online Shopping

According to Imperva Research Labs, just shortly after the orders to stay at home were given, there was a 28% increase in online retail traffic. Data from the United Nations Conference on Trade and Development (UNCTAD) reveals a similar picture. As they stated, the pandemic has accelerated the shift towards a more digital world and triggered changes in online shopping behaviors that are likely to have lasting effects. The biggest gainers are electronics, gardening/do-it-yourself, pharmaceuticals, education, furniture/household products and cosmetics/personal care categories1. This trend is predicted to grow in 2021. And with many businesses forced to change the way they conduct their sales, the risk of fraud is growing exponentially.

A Real World Problem With Significant Ramifications

A recent example of such fraud is a multi-platform card skimmer that was discovered in some major e-commerce platforms2. The skimmer was able to “take over” the checkout process by injecting a malicious duped checkout form that was accurately masquerading as the legitimate form. This goes to show the level of sophistication involved with these recent attacks, able to abuse even the biggest hosted e-commerce platforms.

This matters to organizations for more than just the fierce blow to their reputation. The fact that the client-side could be abused by hackers to obtain PII (Personally Identifiable Information) is as severe a data breach as stealing data directly from the server. This raises concerns of non-compliance with PCI, GDPR, CCPA and others. Just recently, significant fines have been issued in the airline industry, amounting to millions of dollars for non-compliance with GDPR.

A Challenging Threat for Security Teams

Managing the risks of client-side attacks like Magecart can prove a difficult challenge. The many third-party services found on websites today are executing on the client-side, which makes them a blind-spot for the security organization. A key part in the strategy for security teams is to keep inventory of all the third-party services used in their applications, but this isn’t easy, as the security team usually doesn’t take part in the development cycle. Another option is to make use of HTTP Content-Security-Policy headers, although these are extremely difficult to implement and maintain across the organization.

Imperva’s Client-Side Protection Is Easy To Setup And Understand

Client-Side Protection makes it easier for security teams to gain visibility into all of their application’s third-party components, enabling them to protect their customers’ most sensitive data from fraud. It achieves this by:

  1. Discovering third-party services: when you first onboard your site to Imperva’s Client-Side Protection, it will start monitoring traffic to detect and inventory the third-party
  2. JavaScript services used in your application and will continue to do so automatically.
  3. Providing meaningful security insights on the discovered JavaScript
  4. Revealing data transfers from your application to any third-party
  5. Simplifying actions: allow approved domains and block unapproved ones

Client-Side Protection is available as a part of Imperva’s Cloud Web Application and API Protection (WAAP) solutions. Start your Application Security Free Trial today to try out the security benefits of Client-Side Protection.


The post Online fraud at an all-time high amidst the global pandemic appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Erez Hasson. Read the original post at: