Last week news came out regarding a breach which concerned two websites that were owned and operated by San Francisco airport. In a notice dated April 7th, the airport said that the attackers seem to have targeted the usernames and passwords of those who utilized the websites involved.
Over the following days and as more insight was gained, some outlets began reporting that the hackers involved were a group known as Energetic Bear, a collective believed to be acting on behalf of the Russian Government.
Online skimming techniques used
From the information released, the attackers were able to inject malicious code into the website which was designed to target a bug within Microsoft Internet Explorer to steal user credentials. Initially, the thought was that website credentials were their target, but it appears this was not the case and instead, actual device credentials were the goal.
Regardless of the ultimate data target, however, the process of injecting malicious code into a website for the purpose of stealing data is not new. This is a technique that notorious hacker group Magecart has used for years to steal data from some of the biggest online retailers.
With code injection attacks, cybercriminals will exploit vulnerabilities within website code to inject malware into one of the sites’ legitimate files. When a user navigates to the website, the malicious code is delivered to the user, alongside all other website content, where it can perform various malicious actions, including capturing keypresses, scraping the screen or skimming personal data, such as credit card numbers.
Third-party libraries make the attack surface larger
Most websites today are incredibly complex, often being made up of thousands of lines of code. While organizations create a significant portion of website content themselves, they also leverage third-party libraries to bring functionality, such as shopping carts, credit card processing, virtual assistants and analytics.
The reality is that the average website uses between 40-60 third-party libraries which are sourced from various locations. These third parties are often the work of multiple developers from professional teams to college students. For most organizations, vetting these libraries is an impossible task and the code is accepted verbatim and assuming of trust.
When an attacker finds an exploit within one of these third-party vendors or the infrastructure used to provide the library, they can inject malicious code which then makes its way onto any website making use of the library. The challenge for most organizations in this instance is that they do not know the malware exists; therefore, it can sit silently stealing customer data for significant periods of time.
Mitigating the effects of injection-based attacks
Most attacks of this nature often target user data and with the large attack surface that is introduced by using third-party libraries, they are largely impossible to prevent. For many organizations, when they understand how online skimming attacks happen, the view is not if, but when they are breached and how they can mitigate the effects.
Ensighten enables organizations to prevent online skimming attacks by providing technology that allows a filter to be placed within a website. This ensures that any data accessed by code, whether first, third or even further down the website supply chain, can only be sent to trusted destinations. Should a library contain skimming malware, the malware would not only be blocked from stealing user data, but the organization would be alerted to its presence.
Our technologists will work with organizations and identify areas of potential concern, regardless of whether they use our technology or not, with no obligation. With online skimming and injection-based attacks in general being relatively unknown, we are happy to talk to businesses if for nothing more than to help educate them on the risks. Get in contact to book a demo and see our solution in action.