Ticketmaster UK revealed in June the theft of personal data for over 40,000 of its UK customers to a website credit card skimming campaign called Magecart that has so far in total victimized 800+ online merchants and counting. The widespread success of this attack campaign and its ongoing nature is evidence of the universal susceptibility of every website to this attack vector. Further, the impacts have ripple effects. Just recently, New Zealand’s Westpac bank reissued 30,000 cards based on suspicious transactions linked to Ticketmaster payments.

Magecart used a clever attack tactic to penetrate Ticketmaster – they targeted a supplier of 3rd party JavaScript code on its website. This style of attack targets the less secure companies that supply helpful JavaScript tools to websites, such as marketing trackers, analytics tools and chatbots. By compromising one of these suppliers, the hacker gains instant unmanaged, developer-level DOM access to all sites that have deployed their tool. We’ve seen this provide hackers with the ability to simultaneously impact hundreds of websites with a single successful attack. Magecart’s attack on Ticketmaster UK also victimized over 800 other online merchants.

These types of attacks are particularly effective because site owners rely on third-party tools for essential elements of the user experience as well as critical analytics. Eliminating the capabilities these tools provide – even those that could potentially pose a threat – comes at the massive and often unacceptable cost of reduced performance. Third-party tools have become essential to most modern websites.

To highlight the scope of the problem we chose three JavaScript-based tools known to have been compromised in the Magecart attack – Inbenta, PushAssist, and Social Annex – and conducted analysis to see which sites, if any, are still using these tools. The results are surprising:

Websites using these 3rd party JavaScript suppliers compromised by Magecart are spread fairly evenly from under $1 million in revenue to over $1 billion in annual revenue.

The categories of exposed sites are also concerning. Shopping, telecom, and finance sites are heavily represented. These categories are particularly attractive to hackers given the volume of payment and financial data these sites transact.

The data above illustrate that companies across all industries and revenue brackets use these tools to enhance website effectiveness. The potential for a website to become compromised through a 3rd party JavaScript is ubiquitous. The only missing ingredient is an opportunistic and persistent attacker. Today, this vulnerability is universal.

Significant data privacy compliance ramifications are also at stake. Given the unlimited access JavaScript provides to 3rd party website supply chain vendors, the privacy of customer data is impossible to ensure. This data privacy compliance issue exists whether an attacker is present of not  

The only current solution that prevents this 3rd party JavaScript vulnerability from impacting secure website operation is Source Defense. Source Defense employs innovative technology to provide total control over third party tools that operate on your website and ensure customer data privacy. The real-time, all-the-time prevention approach eliminates the need to rely on reactive detection and the associated compliance-mandated disclosures, fines, and cleanups. In an environment where simplicity is welcomed, Source Defense involves nearly no interaction, offers automatic configuration, and requires no ongoing management due the ultra low-touch prevention system design. Furthermore, with security, risk, and compliance handled, website owners enabled to unlock the potential of their web strategy and even enjoy a performance and stability improvement.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.