Ho, ho, here we go – the holiday season. Let me start by wishing everyone some solid quality time together. We are indeed in the “most wonderful time of the year.”
Unfortunately, especially with the most recent Log4j bug, it could also become the most “Plunder-full” time of the year, resulting in massive financial losses, factory slowdowns, and delayed deliveries.
This season promises to see surges in consumer demand for products and travel with major online buying. Great news for the retail, travel, airline, and hospitality industries. It’s also potentially better news for cybercriminals looking to skim and defraud their way into a very profitable holiday season.
As a result of the pandemic, e-commerce growth has accelerated over the past 18 months. Consider this stat from the National Retail Federation: 2021 online retail sales are expected to grow between 18 and 23% to between $1.14 and $1.19 trillion. Also, consider that even with the news of the Omicron variant, some 100 million Americans are still expected to travel – big news for airlines, hotels, and the like. But with the good, comes the bad. Cybercriminals are frothing at the mouth because they see a major opportunity to conduct client-side and Magecart attacks.
Understanding a client-side attack
Client-side attacks are one of the most prevalent risks for organizations that conduct transactions online. These attacks – digital skimming, formjacking, clickjacking, and ad injection – exploit vulnerabilities in the digital supply chain. Adversaries target the first- and third-party JavaScript running on most of the world’s websites to enable stealthy, lengthy, highly profitable criminal campaigns.
The growing complexity of the digital supply chain increases the attack surface and adds complexity to managing the problem. The average web application has 40-70% of its code sourced from third parties. This third-party script delivers a wide variety of functionality, including ads, analytics, social media, and trackers. Third parties often source additional content and functionality from fourth parties, extending the web page supply chain. This code expands the security and compliance risk. That’s because of a major security gap in JavaScript that gives all scripts the same level of control on the client side.
Here’s how it works:
- Content gets served and enriched: Attackers load web application logic it runs in the browser, beyond the protection of server-side security. The code gets dynamically downloaded from a remote server, which means that it bypasses traditional security infrastructure, including firewalls and web application firewalls.
- All scripts have the same level of control: Third-party and fourth-party scripts have the same level of control as the owner’s scripts. Every script on the page has access and authorship capability, meaning it can change the webpage, access all information on it (including forms), and even record keystrokes.
- The vulnerability gets easily exploited: All it takes is for a threat actor to hack a third-party vendor and have its code changed or an internal developer to integrate malicious code, whether accidentally or intentionally. Website owners have limited means to dynamically detect the change and no means to stop it.
Five mistakes the bad guys count on
- The risk isn’t understood/prioritized. Until recently, most organizations have vastly underestimated the risk that client-side attacks present. It’s now a major attack vector, and it’s a growing one as well. Just last month, the NCSC warned 4,000+ retailers across the UK that they were the targets of client-side attacks. In 2021, formjacking was responsible for 61% of web breaches. British Airways saw a staggering $200 million initial fine (reduced to $20 million) for GDPR non-compliance because of a client-side attack. Since 2017, 150 million payment cards were detected as being compromised via Magecart attacks, with cybercriminals attempting to monetize the cards on the dark web for an estimated total of $37 billion.
- Lack of focus on third parties. How many vendors are plugged into the company’s consumer-facing site? What purpose does each serve? Are they required on highly sensitive pages? Is their code giving them read/write access to forms? In most conversations with security teams, these answers aren’t known. This isn’t a knock against those teams – they’ve been focused on the dozens of other risks they need to manage – but it is troubling because these attacks only continue to increase, and the risk they carry is quite material. Security teams can quickly assess how much exposure the company has on its consumer-facing site. Do it now.
- The client-side gets ignored. Security teams have a duty of care regarding data collected on the company’s site; just because the team may have protected the server side doesn’t mean that its responsibility ends. Know that adversaries are focused on the client side, so the security team has to do something to cut off this attack vector. Waiting isn’t an option – just ask any of the brands that have suffered these attacks and the resulting financial losses.
- Teams try to solve the problem with only detect and alert. Most security teams are already overworked, understaffed, fatigued, drowning in alerts. Solving this problem can’t add more burden to an already overburdened security team. Some approaches to web application client-side protection use the “detect and alert” approach. They flag potentially malicious activity and ask the team to investigate and respond. We’re talking about consumer-facing web properties with hundreds of millions of monthly or quarterly sessions – the team needs a solution that prevents the problem from the start, doesn’t impact site performance, and requires little to no human oversight to work.
- Thinking it won’t happen here. If history of client-side attacks teaches us anything, cybercriminals are creatures of opportunity. Organizations that have been hit range from multi-national, household names, to small retailers like those the NCSC recently warned. The industry doesn’t seem to matter much either; attacks have hit retail, financial services, hospitality, healthcare, travel, and gaming. If there’s a way to profit from stealing the data the company collects, adversaries will have an interest. These are all real and growing risks that companies must address – and that’s why Gartner recently said we’re just a few years away from the mainstream adoption of web application client-side protection. Only security geeks like us will wish for web application client-side protection for the holidays, but with all the impending threats, it’s one of the best gifts we could receive.
Hadar Blutrich, CTO, Source Defense