Client-Side JavaScript: The Impact on Ecommerce Websites

Seen as critical to digital transformation and a necessity in the fight against cyberattacks, cybersecurity today is high on any enterprise boardroom agenda. However, discussion into 2020 still focuses on securing internal networks, applications and infrastructure – with little thought given to the vulnerabilities that exist at the company’s front door: its website. More specifically, the threats that lurk at the client side of the website – a place where it has historically been challenging to detect cybercriminals at work.

Yet, client-side JavaScript attacks have risen dramatically over the last couple of years. High-profile names such as Ticketmaster and Macy’s have all been victims of these types of attacks, which are carried out against their ecommerce websites in a bid to steal customers’ credit card information.

The surge in attacks has even caught the eye of the FBI – in October 2019 it issued a warning to US companies to be on their guard against digital skimming, a type of cyberattack that occurs on the client side of the victim’s website. It is the calling card of a syndicate of cybercriminals called Magecart, which are deemed to be responsible for a spike in attacks over the past 12 months. In fact, formjacking now accounts for seven out of ten web breaches.

The financial and reputational fallout from such attacks can be devastating. Here we look at how client-side attacks occur and what you can do to prevent them.

What is a client-side cyberattack?

Put simply, ‘client-side’ refers to any activity that occurs on the user’s computer, as opposed to ‘server-side’ where the action takes place on a web server. Many modern web applications have been moved to client-side JavaScript libraries to achieve better performance and experience for the end-user, and to reduce the load from server-side processing. Between November 2010 to January 2019, the use of client-side JavaScript code has grown more than 347 percent for desktop and 593 percent for mobile.

It is important to acknowledge the role that JavaScript plays in enabling the modern ecommerce website to function. Most sites today rely on an ecosystem of third-party JavaScript code to boost functionality, process payments, improve the user experience or help marketers capture valuable customer data. The average ecommerce website now uses between 40-60 third-party technologies to create their online experiences.

However, these third parties can come with hidden vulnerabilities which can be exploited by hackers to gain entry to the website – as was the case with the Ticketmaster data breach. Client-side attacks occur when malicious code is injected into a company website, often via one of these third party technologies.

Why are client-side cyberattacks so dangerous?

Once the malicious code is injected, it is executed in the user’s browser when they visit a website. This is how digital skimming, or formjacking, has been so successful. PCI compliance prevents customers from storing their three-digit credit card security number on an ecommerce website’s servers, so hackers must grab this and other personally identifiable information (PII) as it is entered on the payment forms of checkout pages in real time.

The danger is amplified as the whole process happens away from the website’s servers at the client side – where traditionally the business has had little or no visibility into the damage that is being inflicted or the threat to the customers. There is no disruption to the customer’s checkout experience, and so the hacking groups such as Magecart are free to continue their criminal activities.

In the case of skimming attacks such as the one carried out on the Macy’s website, the malicious code was only discovered after it had done its damage. The attackers were able to successfully place credit card skimmers without detection, harvesting data for several days before they were discovered.

How can I boost client-side security?

There are some protective measures usually advocated to help secure client-side activities on websites. These include Content Security Policy (CSP), for restricting what can be loaded or executed on a webpage, and Subresource Integrity (SRI), which can help detect unauthorized changes of external resources. However, this is dependent on third-party vendor support, which in many cases is not provided. Also, organizations need to assess what the impact of running these technologies will have on website performance, functionality and ongoing maintenance of their website.

It is advisable to think about these technologies in the context of a holistic, multi-layered security strategy, which includes website security (MarSec™) for your website. Ensighten’s MarSec™ solution enables you to monitor and securely manage the expanding ecosystem of third parties on your website to protect against data leakage in real time.

Ultimately, it is vital that client-side website security is treated with the same sense of urgency as any internal threat to an organization. If ignored, your business could become the next victim of a destructive cyberattack. Get in contact to learn more about how you can protect again client-side data leakage through website security.