Seen as critical to digital transformation and a necessity in the fight against cyberattacks, cybersecurity today is high on any enterprise boardroom agenda. However, discussion into 2020 still focuses on securing internal networks, applications and infrastructure – with little thought given to the vulnerabilities that exist at the company’s front door: its website. More specifically, the threats that lurk at the client side of the website – a place where it has historically been challenging to detect cybercriminals at work.
The surge in attacks has even caught the eye of the FBI – in October 2019 it issued a warning to US companies to be on their guard against digital skimming, a type of cyberattack that occurs on the client side of the victim’s website. It is the calling card of a syndicate of cybercriminals called Magecart, which are deemed to be responsible for a spike in attacks over the past 12 months. In fact, formjacking now accounts for seven out of ten web breaches.
The financial and reputational fallout from such attacks can be devastating. Here we look at how client-side attacks occur and what you can do to prevent them.
What is a client-side cyberattack?
However, these third parties can come with hidden vulnerabilities which can be exploited by hackers to gain entry to the website – as was the case with the Ticketmaster data breach. Client-side attacks occur when malicious code is injected into a company website, often via one of these third party technologies.
Why are client-side cyberattacks so dangerous?
Once the malicious code is injected, it is executed in the user’s browser when they visit a website. This is how digital skimming, or formjacking, has been so successful. PCI compliance prevents customers from storing their three-digit credit card security number on an ecommerce website’s servers, so hackers must grab this and other personally identifiable information (PII) as it is entered on the payment forms of checkout pages in real time.
The danger is amplified as the whole process happens away from the website’s servers at the client side – where traditionally the business has had little or no visibility into the damage that is being inflicted or the threat to the customers. There is no disruption to the customer’s checkout experience, and so the hacking groups such as Magecart are free to continue their criminal activities.
In the case of skimming attacks such as the one carried out on the Macy’s website, the malicious code was only discovered after it had done its damage. The attackers were able to successfully place credit card skimmers without detection, harvesting data for several days before they were discovered.
How can I boost client-side security?
There are some protective measures usually advocated to help secure client-side activities on websites. These include Content Security Policy (CSP), for restricting what can be loaded or executed on a webpage, and Subresource Integrity (SRI), which can help detect unauthorized changes of external resources. However, this is dependent on third-party vendor support, which in many cases is not provided. Also, organizations need to assess what the impact of running these technologies will have on website performance, functionality and ongoing maintenance of their website.
It is advisable to think about these technologies in the context of a holistic, multi-layered security strategy, which includes website security (MarSec™) for your website. Ensighten’s MarSec™ solution enables you to monitor and securely manage the expanding ecosystem of third parties on your website to protect against data leakage in real time.
Ultimately, it is vital that client-side website security is treated with the same sense of urgency as any internal threat to an organization. If ignored, your business could become the next victim of a destructive cyberattack. Get in contact to learn more about how you can protect again client-side data leakage through website security.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.