Protecting eCommerce & Retail Sites from Client-Side Attacks

By Source Defense

Nearly 75% of fraud and data breach cases involve eCommerce and retail merchants, according to the latest Visa Biannual Threats Report. Digital skimming attacks targeting eCommerce platforms and third-party code integrations are common. 

Almost all eCommerce websites leverage a dozen or more 3rd and 4th party digital supply chain partners that are beyond the reach of their security and compliance teams. Every day, that digital partner ecosystem puts eCommerce organizations at risk of both data leakage and data theft. 

It only takes one 3rd party partner collecting data it shouldn’t or one compromised rogue script to enable cybercriminals to steal the personal and financial data of your eCommerce customers, destroying your organization’s reputation and threatening its very existence.

Web Browser Vulnerabilities

In the browser, client-side processes are almost always written in JavaScript. According to our team’s latest intelligence, there are more than 1.7 billion public-facing websites worldwide, and JavaScript is used on 95% of them. Frontend JavaScript code has grown in size by more than 347% for desktop and more than 593% for mobile during the last 8 years and keeps growing. 

And therein lies the structural security issue that poses one of the biggest threats to your most critical business channels—protecting your customer data at the point of entry. Javascript is used by all of your 3rd party digital suppliers, including payment card processors, advertising networks, social sharing services, analytics, and more, and it sits outside your security perimeter and is vulnerable to a wide range of attacks.

This code is downloaded dynamically from a remote server, which means that it bypasses the traditional security infrastructure, including the website owner’s firewalls and web application firewalls (WAFs). Third-party and fourth-party scripts have an identical level of control as the website owner’s own script. Every script on the page, no matter its origin, has access and authorship capability, meaning it can change the webpage, access all information on it (including forms), and can even record keystrokes and save them. 

Retailers operating eCommerce sites have limited means to dynamically detect any changes to these 3rd party scripts and no means of using server-side security solutions to prevent them from exfiltrating data or executing other malicious activity from the customer’s browser.

Client-Side Attacks

A client-side attack is a type of cyberattack that targets the user, rather than the server. Client-side attacks can be used to gain access to a user’s account information or to hijack their session. 

So what are some of the ways cybercriminals are exploiting the Javascript vulnerabilities in your digital supply chain?

Formjacking. These attacks can affect millions of people at once, or they can be highly targeted and affect a very specific group of people. Formjacking occurs when online criminals hack into a website to control its entry point where sensitive information is provided. This type of hack is most commonly associated with cybercriminals who seek to steal personal information such as phone numbers and home addresses, which could lead to identity theft.

Payment Card Skimming (e-skimming, digital skimming). While retailers and banks have experienced physical skimming, where the attackers install stealthy credit card skimmer devices on ATM machines or point-of-sale terminals to steal credit card or debit card numbers and PINs, today’s cybercriminals do the same thing on e-commerce websites and skim payment data from input fields on existing payment forms or hijack unsuspecting users to fake checkout pages. 

Magecart. Magecart is a type of digital skimming attack that steals information from customers’ payment cards. They target shopping carts from systems like Magento, where a third-party piece of code, compromised by a systems integrator, can be infected without IT departments knowing about it. This is also known as a supply chain attack.

Form Field Manipulation. Hackers can manipulate form fields to alter the data sent to a web server. They learn about your form field data by studying the source code on your web page. Anyone can do this by right-clicking on a page and choosing “view source code.” The HTML code includes your form field data, which skilled hackers can manipulate using injection attacks and other techniques.

Implications for Business

Data breaches have become a fact of life for organizations across the globe. But what happens after a data breach? 

  • Immediately after a data breach, your company is likely to experience a loss of trust from customers, which can lead to a decline in sales and revenue. 
  • You may also face legal and regulatory penalties and costly lawsuits from affected individuals or groups. 
  • Your reputation will suffer, not only with those impacted customers but through poisoned search results that will keep news of the breach alive on the Internet.
  • You will also likely be forced to spend significant resources investigating the breach and implementing security measures to prevent it from happening again. 
  • Disruptions may include hiring cybersecurity experts, updating software, and training employees to identify and prevent potential threats.

In severe cases, disclosure of the breach details to the general public and shareholders can lead to drops in stock prices, staff turnover, and difficulty hiring new talent.

Defend Your Digital Enterprise

The best approach to defeating client-side attacks and eliminating client-side risk is by taking a proactive approach and deploying technologies that can stop the attacks before they inflict damage on your business or your visitors. By managing the code running on your web pages and within your visitors’ web browsers, a client-side security platform enables real-time control over what client-side code can and cannot do, stopping even novel and inventive attacks before they can exfiltrate data.

The Source Defense client-side security platform was designed from the ground up to provide not only ironclad security but also burden-free deployment and ongoing use. Source Defense deploys with just two lines of code or is easily added via a suite of off-the-shelf integrations. Maintenance and monitoring require only a few hours per month, ensuring that solving a new problem doesn’t stress already over-taxed security teams.

Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.

The post Protecting eCommerce & Retail Sites from Client-Side Attacks appeared first on Source Defense.

*** This is a Security Bloggers Network syndicated blog from Blog – Source Defense authored by [email protected]. Read the original post at: