Safeguarding data is a continual process fraught with challenges and a breach in the protection of that data can have major repercussions. Detecting and reporting a breach in a timely manner is crucial to maintaining compliance standards and ensuring the integrity of an organization’s data. Though many breaches are detected in a timely manner, it is an unfortunate reality that the majority of organizations take months or even years before detecting a breach.
56% of breaches took months or even years to detect
In 2019, security teams at Verizon released the Verizon Data Breach Investigations Report; an analysis of many of the year’s big data breaches across organizations. A total of 41,686 security incidents were analyzed in the report, shining a light on a grim reality: While cybercriminals’ first steps towards compromising customer information and data can happen in a span of minutes, the time taken to discover the breach by these malicious actors often takes months.
Using the data from the analyzed incidents, Verizon’s security teams determined that a total of 56 percent of breaches took months or even years to detect – a significant sample size given the enormity of cyberspace that the 41,686 analyzed sites represent. This revelation tells us of the growing level of impact a well-established system of governance can have for an organization – a system by which attacks can be properly mitigated and reported to save precious time in recovering from a breach.
Blue teams regularly engage in the mission of preventing attacks from occurring but having the systems to detect a breach in progress – assuming preventative measures have failed – is just as critical to ensure the integrity of an organization’s systems and the confidentiality of customer data. Some methods by which attacks occur are remarkably silent and Magecart is no exception.
Magecart and web skimming attacks
Magecart is a catch-all term for web skimming attacks – named so for the vulnerable ecommerce platform Magento that has become a favorite attack surface of hackers around the world, from individual attackers to nation-state actors. The methods utilized to execute these attacks varies depending on the complexity of the skimmer and the point of detection depends largely on the method of attack that the hacker chooses. While there are some web skimming attacks that would require a hacker to infiltrate a web server to execute, there are many methods which are far more silent in their execution and much more difficult to detect – such as an attack on a website’s supply chain.
Running in the shadows: Supply chain attacks
Of the various methods by which web skimming attacks are executed, perhaps none pose as much of a risk to an organization as an attack on a website’s supply chain. The supply chain of a website is much like the supply chain of a city - it contains all the necessities that a city needs to operate and grow. However, if someone were to control or infect part of a city’s supply chain, they could do remarkable damage to that city’s people without ever having to enter the city.
An average website uses as many as 40 third-party extensions or modules in the construction of the website, which presents at least 40 different angles of attack for cybercrime groups, such as Magecart. In this case, the security of the website and its users hinges on the security of these 40 third-party organizations as the malicious script is supplied to the website and run whenever a user loads a web page in their browser – unbeknownst to the web server’s owners or the customer. Magecart have used these web skimming techniques to insert malicious script into for example shopping cart technology to successfully collect payment card data in real time as it is inserted into the form.
This type of attack is almost invisible to the website’s administrators through traditional scanning methods. Backend audits and vulnerability scans cannot detect the presence of this threat as it impacts browsers, meaning the attack is client side. Once the attack is in place, the attacker can choose varying methods of exfiltration: In a typical scenario an attacker might redirect the flow of stolen data to a remote server but could also choose to store data on the web server, disguising it as a necessary or common element within a module to fend off detection. Any of this data which makes it to the server is likely to be encoded in a way that makes the exfiltration extremely difficult to detect by moving values of strings like “credit card number” through multiple encoding methods. This evades IDS filters and firewall rules by changing the appearance of the stolen data to values that the security devices may not recognize.
The impact of data leakage
Successful detection and timely mitigation can have significant impacts on an organization’s financial outlooks. According to a study performed by IBM Cybersecurity on the impact of data breaches on organizations, “[2019’s] report found that the average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.” Regarding the use of third-party modules, apps and code, they discovered that “breaches originating from a third party – such as a partner or supplier – cost companies $370,000 more than average, emphasizing the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.” This study highlights the importance of real-time detection and mitigation measures on the client-side operation of a website.
The value to a hacker – whether it be to skim PII or generally disrupt a brands operation – is not in the attack itself but the length of time it runs for and the magnitude of the issue it creates. As such, many of the attack methods referenced above are specifically designed to be difficult to detect and therefore be active for as long as possible. The way they achieve this is varied but the desired result is pretty much the same. Ensighten enables organizations to prevent online skimming attacks by providing technology that allows a filter to be placed within a website. This ensures that any data accessed by code – whether first, third or even further down the website supply chain – can only be sent to trusted destinations. Should a library contain skimming malware, the malware would not only be blocked from stealing user data, but the organization would be alerted to its presence. You can learn more about web skimming prevention here.