Magecart presents an unprecedented threat: Here’s what you can do
Recently we learned that the previously disclosed Ticketmaster UK breach from a few weeks ago was not a one-off event but instead part of a widespread website digital credit card skimming operation that impacted over 800 ecommerce sites around the world.
On the surface, even an attack of this size isn’t necessarily out of the norm in today’s threat landscape of highly sophisticated actors. However, if we consider the true impact of this event it is absolutely astonishing. The Target attack on in-store point-of-sale systems from a few years ago was frightening, and that was only one organization. Given the growing consumer shift away from in-store towards ecommerce and the sheer number of global merchants affected by Magecart, this event is chilling in scope.
The client-side browser is the primary environment wherein critical customer data is displayed, entered and captured. It is the front door for interaction with customers and their data. Third-party JavaScript executes on the client-side browser and is granted unmanaged and unlimited access to the entire webpage including the ability to exfiltrate data (keylogging, web injection, form field manipulation, phishing, etc.) and content defacement and alteration.
Simply put, website owners are handing out skeleton keys to the front door, even though the server-side back door to most of these companies is very secure. Magecart activities show that attackers are looking for economies of scale and are searching for and able to attack hundreds of companies at once. Security pros should think twice about being so cavalier with the skeleton keys to their front door.
Given that many third-party vendors have weak security protocols compared to the corporate websites that run them, it makes them more attractive and susceptible to attack. This coupled with the unavoidable, unlimited access to the webpage DOM is a major vulnerability for companies. Further, once a hacker compromises a single third-party vendor, they have access to every single website that runs the tool. Third-party JavaScript is served from external remote servers and executes on the client.
This makes current security approaches such as pentesting, periodic code review, and dynamic application security testing incapable of preventing these attacks. Companies have no visibility into what these third parties are doing and no way to prevent the hackers that exploit them from accomplishing their malicious missions.
Luckily, there are steps that security teams can take to mitigate the risks of third-party vendors outright:
Prevention is the best option
To limit the threat posed by third-party software, security pros can use prevention technology that controls the access and permissions of every third party running on the page and insulates websites, their corporate owners, their visitors and their customer data from the inappropriate behavior of overzealous third-parties and the more malicious activities of hackers that seek to exploit them.
This prevention level approach not only secures the organization but provides adequate data control required by many compliance laws (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control what data the various third-parties can access, an organization is in a state of non-compliance.
A benefit of prevention is that with security and privacy concerns satisfied, the business is free to use third parties in a way that helps to increase generate revenue. By using third-parties on otherwise sensitive pages (e.g. payment, registration, credential capture) the business is able to optimize their conversion rates at critical junctions of the customer journey. By using new and innovative tools, the business can be dynamic and differentiates from their peers who are forced to move slower and in a more restricted fashion. The end result is a secure and compliant site that delivers a superior customer experience and produces better analytics.
Constantly monitor your site
One strategy that all security teams can take is to constantly monitor any third-party scripts on their sites for changes. Of course, this requires a resource commitment – some websites employ over 100 third-party add-ons – but it’s one way to detect potential threats moving forward.
The downside of this approach is that it is incapable of detecting attacks like Magecart in real-time and does not include remediation. At best, it may detect an attack, but assuredly will never detect the attack in time for the website owner to avoid some damage. After all, even if the majority of the damage is avoided after detection, any leakage of customer data likely constitutes a compliance violation that will require full public disclosure. The resulting fines, PR crises and operational fire drills are typically crippling – but the alternative is generally far worse.
Restricting the usage of third party tools
Another option would be to exercise extreme caution when choosing which third party tools to use. By scrutinizing the security protocols of these tools, and only selecting those with comprehensive security features, security teams can pressure third party vendors to improve their practices and help the companies that use them further secure their sites. Unfortunately, the reality with third party scripts is that they will always inherently have an otherwise uncontrolled level of access to the webpage DOM.
The downside is that limiting usage can be counterproductive to the overall goals of the business. Over scrutinizing third-party vendors makes delivering a compelling, differentiated and dynamic web presence more difficult. Limiting the number of tools used, similarly limits the organization’s ability to provide an engaging user experience and extract meaningful analytics. If customer experience and analytics are not optimized at critical points in the customer journey like account registration and check out, then conversion rates will plummet.
Ultimately, restricting tools is a balancing act between remaining secure and providing a competitive customer experience.
The time to act is now
It’s likely that the more than 800 compromised sites in this attack are just the tip of the iceberg given the amount of time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector.
Lastly, we know that third-party tools are more likely to shift blame to site owners than incorporate the necessary security themselves. So, it is important that the industry closely monitor third party vendors and pressure them to enact better security protocols themselves while site owners proactively employ preventative technology that allows them to still benefit from the advantages these third-party tools offer.