Top Five Cyberattacks Targeting Your Website

After a surge in web-based attacks in 2019, criminals are doubling their efforts to steal your customers’ data in 2020

In 2019, we saw cybercriminals evolve their attack methods, expanding into new areas and adding extra layers of complexity to carry out their attacks without detection. In fact, it was deemed to be the “worst year on record” for data breach activity, with web-based attacks exposing more data than any other method.

Experts noted that ecommerce websites in particular experienced a surge in cyberattacks. In 2020, this looks set to continue, with your company website as a prime target for attack.

Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks. With your website susceptible to malicious code injection, unsolicited advertising, digital skimming and third-party vulnerabilities, the risk of data leakage or a full-scale data breach have never been greater.

This all plays out against a backdrop of increasing data protection regulations, such as GDPR in Europe and the recently introduced CCPA in the US, with greater financial penalties for data loss than ever before.

Here we look at the top five cyberattack methods your website faces in 2020.

1// JavaScript (JS) injection

Not only are type and frequency of cyberattacks on websites increasing, but the hacks are now more lucrative than ever for criminals. Payment card data is the most coveted type of information for criminals to get their hands on, comprising 36 percent of breach incidents.

The widespread use of JavaScript on websites – it is used by 95 percent of sites – has provided a fertile hunting ground for hackers, most commonly through the exploitation of third-party JavaScript to inject malicious code to steal sensitive customer data.

One of the most common JavaScript injection attacks is Cross-Site Scripting (XSS), where a hacker takes advantage of a vulnerability in a webpage to inject their own code and steal user information such as credentials, session cookies and other sensitive data. DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code, is particularly hard to detect as the server never gets a chance to see the attack taking place.

A 2019 report by Positive Technologies shows that three quarters of websites are vulnerable to XSS attacks – which may account for the fact that it was the most widely-used cyberattack method used to breach large companies in 2019.

2// Digital skimming or formjacking

One of the most common ways in which criminals use code injection to steal data is through Digital Payment Card Skimming (DPCS) or formjacking. This is where hackers inject malicious JavaScript (JS) code to steal credit card details and other information from the payment forms on checkout pages of ecommerce websites.

Because PCI compliance prevents customers from storing their three-digit credit card security number on a website’s servers, hackers are focusing their efforts on the client side of the website to harvest those details as they are entered in real time.

Formjacking made up 71 percent of web breaches and 12 percent of total breaches in 2019, and it shows no signs of slowing down in 2020 – particularly with the persistence of hackers such as Magecart (see below).

It was recently discovered that a website set up to accept donations for victims of the Australian bushfires has itself become a victim of digital skimming – the only difference being the fraudsters were stealing card and personal data from donators to a worthy cause as opposed to shoppers.

Elsewhere, a new variant of a JavaScript skimming method was recently discovered – dubbed Pipka, it can remove itself from the compromised HTML code after execution to help avoid detection.

3// Third-party vulnerabilities

The average retail website now uses between 40-60 third-party technologies to create their online experiences. They are used for personalization, tag management, ad tech, social media or customer reviews, among other things that improve the functionality and usability of the website.

However, as your website increasingly uses content from often disparate sources, it is easier for criminals to exploit these third parties to gain access to your customers’ personally identifiable information (PII) or payment data from the website.

According to leading security expert Brian Krebs, “The bad guys will find a vulnerability in a third-party library or component like a script in the checkout process or something like that. And once they compromise that third-party script, they compromise every site that runs that script – that’s the most common way that these attacks happen.”

This was the case when hackers compromised a third-party chatbot called Inbenta, enabling them to target several of Ticketmaster’s websites. This type of supply chain attack is far from an isolated incident – 61 percent of US companies have experienced a data breach caused by one of their vendors or third parties.

4// Magecart

Notorious hacker group Magecart is synonymous with both digital skimming and exploiting third-party vulnerabilities to steal payment data from websites. The group made headlines in 2019 with a series of high-profile web inject attacks that resulted in the FBI issuing a warning that urged organizations to “take note of this new breed of cyberattack and put security measures in place to protect end-users.”

It is thought that as many as 20,000 online stores have been breached by the group, with Macy’s and gun manufacturer Smith & Wesson both falling victim in late 2019. The arrest of three of its members is unlikely to hinder the group’s activities; Magecart is already suspected of being behind an attack this year which targeted the payment data from a diverse range of websites, including ones selling Olympic tickets and emergency preparation kits. These attacks also show how the group is evolving its attack methods by swapping out skimming domains on compromised sites to avoid detection.

5// Ad injections

As consumers we have all experienced annoying ads while trying to browse the internet. But for website owners, these ads can cause brand damage, loss of customer loyalty and revenues. They can re-direct users from your website, resulting in abandoned shopping carts and even putting money directly into your competitors’ pockets.

Your website visitors are also less likely to put up with a frustrating online experience, subsequently boycotting your services, turning to the competition or sharing their negative experiences on social media, for example.

The problem is that as the adware is once again injected on the client side – so as the website’s owner, you often have no visibility over the fact that visitors are having their browsing experience ruined until it is too late and you have lost valuable conversions.

Conclusion

As mentioned earlier, the recent introduction of the CCPA legislation means there is no wiggle-room left when it comes to data leakage, and organizations are now compelled to demonstrate they have the technology in place to help them avoid data loss and the inevitable fines and lawsuits.

As we have seen, the threat landscape is rapidly evolving, and the threat surface area is expanding. A lot of the malicious activity on websites can be difficult to detect – particularly if it occurs on the client side. This means that legacy security solutions simply can’t keep up with this dynamic environment.

Having a Content Security Policy (CSP) or Subresource Integrity (SRI) is a good foundation for trying to prevent web-based attacks – and having a data privacy workflow solution may help you in your efforts to remain compliant to regulations. However, on their own they are not enough. In 2020, you need visibility into what is running on your website and any changes that may occur in real time.

Ensighten’s MarSec™ solution provides you with a real-time view of all the technologies running on your website and will perform a full privacy risk assessment as web pages are loaded. It can also prevent malicious web injects by only loading resources that are explicitly allowed and block everything else.

This means blocking formjacking attacks by allowing control over third-party JavaScript that is given permission to operate within the user’s browser. It can also detect and block unauthorized advertising injected into visitor browser sessions and prevent your customers from being diverted to other websites.

Not only can you manage third-party technologies by allowing or blocking approved vendors, and managing and updating policies in real time; you can extend protection to the client side of your website where previously you may have had no visibility.

Speak to Ensighten about locking down your customers’ data.