Is Your Website a Security Blind Spot?

February 4, 2019 - Ensighten

In this current era of digital transformation, your website as a digital platform has never been more important to your business. Websites are evolving to offer cross-channel, personalized and user-centric web experiences to match increasingly high customer expectations.

Yet despite significant investment from companies into getting the look, feel, and user experience right on their websites, many fail to address perhaps the most important aspect: website security.

It seems incongruous that despite being a highly-valued entry point for customer interaction and a repository for a wealth of personal and financial customer data, the front end – or the client-side – is considered the most vulnerable part of a website. As such, it is often targeted by hackers looking to steal valuable customer data.

 

JavaScript vulnerabilities

Most websites today use JavaScript, which can be used to capture data around the customer experience, as well as performance metrics for the website. Unfortunately, there are some inherent dangers associated with JavaScript, as it can be manipulated by hackers and threaten your website security. Most commonly, they can inject malicious code to steal customers’ financial details.

There have been some high-profile examples of this type of cybercrime, most notably the use of ‘skimming code’ – otherwise known as digital payment card skimming (DPCS) or formjacking – by criminals to scrape website users’ credit card details and other information from payment forms when they are completing an online purchase. They will then use those stolen details to perform payment card fraud or sell them to other criminals on the dark web.

Pertinently, PCI compliance prevents customers from storing their three-digit credit card security code on a website’s servers, so it makes sense for hackers to focus their efforts on the client-side of the website, to capture those details as they are entered.

 

Magecart attacks

The most notable attacks of this kind have been carried out by a collection of cybercrime groups known as Magecart, who were reportedly responsible for at least 319,000 cyber incidents in 2018. For example, Magecart targeted online retailer Newegg by injecting 15 lines of skimming code on its payments page, which remained undetected for more than a month during the summer or 2018. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name. The server even reportedly used an HTTPS certificate to avoid suspicion.

The group exploited another client-side website security vulnerability in its 2018 attack on Ticketmaster UK, compromising a chatbot originating from a third-party customer support company. While third-party vendors like social media buttons, ad trackers and chatbots increase the functionality of your website and improve the customer experience, they can also be a security blind spot if you do not have the correct cyber security measures in place.

This is compounded by the fact that there can be malicious changes to the code base that can occur entirely without your knowledge, unsurprisingly leading to a massive gap in your cyber security measures. Indeed, Ponemon research shows 59 percent of companies say they have experienced a data breach caused by one of their third-parties.

But it’s not just enterprises that need to worry about web and marketing security. Governments have a duty to make their webpages accessible to everyone, and as part of this, use plug-ins to read text on the site out loud to blind or partially sighted visitors. One such plug-in, called Browsealoud from Texthelp, was compromised by hackers who altered its source code to inject a crypto mining code into every webpage, affecting more than 4000 government websites around the world.

 

What can I do to secure my website?

There are products available that can help defend your website from client side attacks – to an extent. A Content Security Policy (CSP) can help prevent cross-site scripting (XSS), clickjacking and other code injection attacks, but there are still gaps in its capabilities, and it can often mean a trade-off between website security and functionality.

In addition, Subresource Integrity (SRI) can check for any code changes in any assets served by a third-party vendor to ensure they haven’t been compromised. However, SRI can struggle to keep up with the regular updates from third-party vendors and frequent changes to source code. The bottom line is that neither are fully effective against attacks in a rapidly evolving threat landscape. Download our guide to learn more.

You need next generation website security to ensure your data security is working and your business is safe. Ensighten can help you protect any and all client-side data against all the threats we’ve discussed. Our MarSec™ solution provides you with a real-time view of all the technologies running on your website and perform a full privacy risk assessment as web pages are loaded. It can also prevent malicious web injects by only loading resources that are explicitly whitelisted, and block everything else.

In addition, Ensighten can stop JavaScript-based cryptojacking or cryptomining, as we saw with the breach of the government websites. It can also add a level of cyber security to prevent formjacking attacks like the one launched on Ticketmaster UK by allowing control over third-party JavaScript that is given permission to operate within the user’s browser.

As we’ve seen with just these few examples of client-side attacks, you can no longer overlook or dismiss the potential vulnerabilities within your website. The time to secure your website and your customer data is now.