Website Data Breaches – Protecting against JavaScript attacks following 2018, the year of Magecart

October 26, 2018

This year it was discovered that hacking collective Magecart were behind the data breaches of at least 800 e-commerce sites around the world, exploiting failures in client-side website security.

As the high-profile hacks of 2017-2018 have shown, the stakes for companies suffering data loss are extremely high: Gemalto recently found that 70% of customers said they would leave a business following a data breach. This is a threat from which even the largest organisations can be at risk. In a recent study RiskIQ identified 100 ‘top-tier victims’ of Magecart, which they said included ‘mainly online shops of some of the largest brands in the world’.

Despite these huge risks, a study we carried out in September 2018 found that 46% of enterprises believe they have a probable or greater risk of a website data breach. Even more shocking was the discovery through our research that 13% of organisations surveyed only review the security of their customer data once every six months

The devastating impact for a business suffering from a security breach may seem obvious, however a data breach often includes several unforeseen damages on top of large fines.

Firstly, customer loyalty can be damaged when a business experiences a security breach. Data from the Ponemon Institute found that 31% of people actually terminated their relationship with an organisation following a data breach.

Secondly, a data breach will often force an organisation to divert a substantial amount of time and resource into dealing with the fallout. All areas of the business will be involved in the aftermath of a data breach, potentially forcing other projects to be placed on hold while the problem is rectified.

Why are these attacks becoming more common?

Part of the reason is the wide adoption of JavaScript; by 2016 it was estimated that 92% of all websites were using JavaScript. JavaScript is used to deploy third-party services onto a website. This helps improve the customer experience, offer the brand insights into how users are interacting with them via their digital channels, and enable enhanced performance measuring and personalised experiences. However, these benefits have led to many sites relying heavily on third-party JavaScript, giving a new avenue of attack to hackers.

Hackers have taken to targeting third-party technologies because they are given a high level of trust, having access to the client side of the website, thereby allowing access to everything that happens in the browser, including customer data. This ‘all access’ attribute has enabled hackers to manipulate the JavaScript code being served by a third-party or directly through the business’ web servers to inject malicious code.

Hacking into third-party supply chains has allowed hackers to break into thousands of websites instantly, making their methods far more effective, and dangerous. A case in point; Feedify, a customer engagement service which requires clients to add their JavaScript to their site in order to function, was hacked earlier this year.

The injected malicious code has been found to steal customers’ personal and financial data as it is entered into the site, and even redirect customers to a malicious domain to conduct fraudulent transactions.

These exploits that lead to payment detail and data theft have been referred to as formjacking, payment card skimming, as well as digital credit card skimming. These are not the only types of data breaches that can occur from an insertion of malicious code into a website, but perhaps are among the most impactful as the site owners can be completely unaware their customers’ data is being stolen.

What can you do to prevent these types of attacks?

In order to protect your site against formjacking and compromises of your website supply chain, you need to consider the following questions:

·      Do you know which third-party vendors are operating on your website? How do you guarantee this?

·      Can you ensure that third-party technologies on your site can’t capture sensitive information? How do you go about this?

·      Can you ensure that the end script is the one which is permitted? How can you double check this is still the case?

·      Can you control what content is being loaded into the third-party requests? If an unvalidated script was accessing card payment details on your site, would you be able to immediately stop it?

If there is any doubt about the answers to any of these questions, extra precautions must be taken.

What you can do to secure your website:

·      Scan and Monitor your website to see which third-party JavaScript is operating on the site, where its being loaded from and what pages these scripts are on.

·      Whitelist and enforce which third-parties and which scripts are allowed to operate on your website.

·      Use Website Data Leak Prevention, so that if a trusted third-party script is compromised you can prevent any alterations to your site and stop any leaks before they take place.

If you want to understand how Ensighten helps with the mitigation of formjacking, and how we can help you mitigate against potential risks within your website supply chain then please get in touch to request a demo.

Time to update your browser.

For the best experience of the ensighten.com website, please download one of these free, up-to-date browsers.

Choose from one of the following browsers: