After a surge in web-based attacks in 2019, criminals are doubling their efforts to steal your customers’ data in 2020
In 2019, we saw cybercriminals evolve their attack methods, expanding into new areas and adding extra layers of complexity to carry out their attacks without detection. In fact, it was deemed to be the “worst year on record” for data breach activity, with web-based attacks exposing more data than any other method.
Experts noted that ecommerce websites in particular experienced a surge in cyberattacks. In 2020, this looks set to continue, with your company website as a prime target for attack.
Application weaknesses and software vulnerabilities continue to be the most common means by which cybercriminals carry out external attacks. With your website susceptible to malicious code injection, unsolicited advertising, digital skimming and third-party vulnerabilities, the risk of data leakage or a full-scale data breach have never been greater.
This all plays out against a backdrop of increasing data protection regulations, such as GDPR in Europe and the recently introduced CCPA in the US, with greater financial penalties for data loss than ever before.
Here we look at the top five cyberattack methods your website faces in 2020.
Not only are type and frequency of cyberattacks on websites increasing, but the hacks are now more lucrative than ever for criminals. Payment card data is the most coveted type of information for criminals to get their hands on, comprising 36 percent of breach incidents.
A 2019 report by Positive Technologies shows that three quarters of websites are vulnerable to XSS attacks – which may account for the fact that it was the most widely-used cyberattack method used to breach large companies in 2019.
2// Digital skimming or formjacking
Because PCI compliance prevents customers from storing their three-digit credit card security number on a website’s servers, hackers are focusing their efforts on the client side of the website to harvest those details as they are entered in real time.
Formjacking made up 71 percent of web breaches and 12 percent of total breaches in 2019, and it shows no signs of slowing down in 2020 – particularly with the persistence of hackers such as Magecart (see below).
It was recently discovered that a website set up to accept donations for victims of the Australian bushfires has itself become a victim of digital skimming – the only difference being the fraudsters were stealing card and personal data from donators to a worthy cause as opposed to shoppers.
3// Third-party vulnerabilities
The average retail website now uses between 40-60 third-party technologies to create their online experiences. They are used for personalization, tag management, ad tech, social media or customer reviews, among other things that improve the functionality and usability of the website.
However, as your website increasingly uses content from often disparate sources, it is easier for criminals to exploit these third parties to gain access to your customers’ personally identifiable information (PII) or payment data from the website.
According to leading security expert Brian Krebs, “The bad guys will find a vulnerability in a third-party library or component like a script in the checkout process or something like that. And once they compromise that third-party script, they compromise every site that runs that script – that’s the most common way that these attacks happen.”
This was the case when hackers compromised a third-party chatbot called Inbenta, enabling them to target several of Ticketmaster’s websites. This type of supply chain attack is far from an isolated incident – 61 percent of US companies have experienced a data breach caused by one of their vendors or third parties.
Notorious hacker group Magecart is synonymous with both digital skimming and exploiting third-party vulnerabilities to steal payment data from websites. The group made headlines in 2019 with a series of high-profile web inject attacks that resulted in the FBI issuing a warning that urged organizations to “take note of this new breed of cyberattack and put security measures in place to protect end-users.”
It is thought that as many as 20,000 online stores have been breached by the group, with Macy’s and gun manufacturer Smith & Wesson both falling victim in late 2019. The arrest of three of its members is unlikely to hinder the group’s activities; Magecart is already suspected of being behind an attack this year which targeted the payment data from a diverse range of websites, including ones selling Olympic tickets and emergency preparation kits. These attacks also show how the group is evolving its attack methods by swapping out skimming domains on compromised sites to avoid detection.
5// Ad injections
As consumers we have all experienced annoying ads while trying to browse the internet. But for website owners, these ads can cause brand damage, loss of customer loyalty and revenues. They can re-direct users from your website, resulting in abandoned shopping carts and even putting money directly into your competitors’ pockets.
Your website visitors are also less likely to put up with a frustrating online experience, subsequently boycotting your services, turning to the competition or sharing their negative experiences on social media, for example.
The problem is that as the adware is once again injected on the client side – so as the website’s owner, you often have no visibility over the fact that visitors are having their browsing experience ruined until it is too late and you have lost valuable conversions.
As mentioned earlier, the recent introduction of the CCPA legislation means there is no wiggle-room left when it comes to data leakage, and organizations are now compelled to demonstrate they have the technology in place to help them avoid data loss and the inevitable fines and lawsuits.
As we have seen, the threat landscape is rapidly evolving, and the threat surface area is expanding. A lot of the malicious activity on websites can be difficult to detect – particularly if it occurs on the client side. This means that legacy security solutions simply can’t keep up with this dynamic environment.
Having a Content Security Policy (CSP) or Subresource Integrity (SRI) is a good foundation for trying to prevent web-based attacks – and having a data privacy workflow solution may help you in your efforts to remain compliant to regulations. However, on their own they are not enough. In 2020, you need visibility into what is running on your website and any changes that may occur in real time.
Ensighten’s MarSec™ solution provides you with a real-time view of all the technologies running on your website and will perform a full privacy risk assessment as web pages are loaded. It can also prevent malicious web injects by only loading resources that are explicitly allowed and block everything else.
Not only can you manage third-party technologies by allowing or blocking approved vendors, and managing and updating policies in real time; you can extend protection to the client side of your website where previously you may have had no visibility.