How Third-Party Libraries Can Expose Your Site to Web Skimming Attacks

For many people within the US, September 21 was the last day of summer, ushering in the season for the most active shopping periods of the year. November will see both Black Friday and Cyber Monday take place, where consumers get to work on their holiday purchases as they roll into December. In August, the U.S. Census Bureau announced that the estimate of US retail ecommerce sales for the second quarter of 2020 was $211.5 billion – a 31.8 percent increase from the first quarter. 

Ecommerce is a lucrative target for cybercriminals due to the abundance of financial data being passed around. Hackers look to take advantage of the complexity of today’s websites and the common use of third-party components to stage a new kind of attack; one targeted at stealing payment data directly from the browser in real time. 

The risk of third-party website components

If you examine the code behind most websites, you will find not only content that has been created by the website owner but an abundance of third-party code, consisting of everything from social networking plugins to code that presents virtual chat bots and other functionalities. The average website uses 60 third-party libraries with providers ranging from social networking companies to open source dorm room projects – it is the latter that is the problem. 

Some of these third-party libraries are created by reputable organizations and technology providers but, as mentioned, others are the product of open source projects. Irrespective of the source, however, when a library is included as part of a website and is then delivered to a visitor’s browser, it is processed in the same way as the organization’s code without restriction. In short, the third-party code can capture any information the user enters into the website. 

This poorly understood security weakness is one of the biggest reasons that online skimming attacks are both successful and prominent today. Attackers will find a third-party library which has weak security and insert their malware. Once the malicious skimming code is inserted into a library, any website making use of it will allow the attackers to exfiltrate customer and financial data at will. 

Why are online skimming attacks successful? 

Skimming attacks happen on the client side, that is, they happen in the browser when the user is accessing a website in real time. Unlike traditional security incidents where a hacker will breach an organization’s infrastructure and thus can be seen and caught, web skimming malware runs on the user’s device and any stolen data goes from their device directly to the attacker, meaning the site owner has little to no visibility into this activity. 

When a browser accesses a website, they download all the code and content from the remote servers – both the site owner’s servers but also any third-party libraries used. When the browser has downloaded everything, it processes the code and content, then presents the website to the user. In essence, if an attacker hides malicious code in any of the downloaded resources, the browser will process and run it. 

For many organizations, they simply assume their website is secure because they themselves invest in security. However, they do not consider all the third-party components they use and the potential lack of security that exists on them. Attackers take advantage of the lack of awareness and understanding of this security weakness, leaving many organizations exposed to attacks such as web skimming. 

Preventing web skimming 

The reality is that as a website owner making use of third-party components, you accept an inherent security risk – there is little you can do if a third party is breached.  With that said, removing all third-party components from a website is impractical, leaving many to simply accept the risk. 

Some organizations look to security measures such as Content Security Policy (CSP) as a way of preventing web skimming attacks. They can be efficient when used correctly, but one challenge with approaches such as CSP is that they are difficult to configure and manage and offer little in the way of alerting and reporting. While technologies such as CSP are better than having nothing, the usage of it is impractical for the majority of websites due to their size, complexity, implementation and operation. 

While it is not possible to prevent the breach of a third party out of your organization’s control, it is possible to mitigate the effects of such a breach and prevent customer data from being stolen. Website client-side security can be leveraged to limit what code can do when it runs within the browser, such as where it can send data and what types of data it can send. Learn more about client-side website security in this free guide to online skimming.