The risk from client-side attacks like Magecart is becoming a new frontier, but it’s not shiny, new thing. We’ve seen the threat from formjacking, digital skimming and credential harvesting grow steadily since about 2015. You could say that client-side attacks have advanced on the hacking adoption curve and that they’re going mainstream.
As if to make my case as timely as possible, just yesterday news broke of an attack that impacted thousands of retailers and their customers. With expectations of a record holiday season for on-line shopping, one can easily assume that more of these campaigns are or will be running soon. But the threat doesn’t just impact retail – it touches financial services, healthcare, hospitality, travel, ticketing, gaming and other sites that have high online transaction volumes.
What it takes for an attack type to go mainstream
Besides the motive for ill-gotten profit, mainstream attacks share several other characteristics:
- Low barrier to entry. Malware kits for skimming are available for as little as US $1,300, which is a low threshold for criminals who want to try a new kind of exploit. By compromising a few active e-commerce websites, they can recoup their investment within a few months — or weeks, if they take advantage of the holiday retail season.
- Vulnerability where you wouldn’t normally look for it. Most of the world’s websites are susceptible to these types of attacks but the risk doesn’t seem to be widely understood or addressed. Vulnerabilities in the 3rd party JavaScript running on these sites is the pathway in and most websites have handfuls of partners that support things like analytics, shopping cart, user experience, etc. running script on their sites. Hackers can substitute or inject malicious web pages into that code without much likelihood that the malware will be found.
- Inconspicuous activity. You can see your customers’ personal information as you capture and store it, but it’s hard to detect the copy that goes winging off to a nameless, faceless, placeless attacker. Worse yet, attacks can linger undetected for months, so the longer you wait, the more your liability grows.
- Delayed software updates. Too many online vendors — from mom-and-pops to enterprises — postpone or neglect security updates to the software running their e-commerce sites. Recall that the term “Magecart” comes from “Magento,” the popular ecommerce platform where this type of attack started, and shopping “cart.” Companies that do not patch Magento, or any web application that relies on JavaScript, are low-hanging fruit for threat actors bent on stealing credit card data and personal information. Again, just yesterday this was proven true.
- Outdated versions. In November 2020, the Cardbleed attacks hit websites that were running the 1.x version of Magento. The attack inserted malicious code designed to capture and transmit credit card data entered by customers at almost 3,000 legitimate shopping sites. If it’s important enough to your revenue to add e-commerce to your website, isn’t it important to observe your vendor’s warnings to upgrade?
To judge from the brands affected, Magecart client-side attacks are certainly mainstream. Ticketmaster’s UK operations (January 2018), British Airways (August 2018), Forbes magazine (May 2019) and WordPress/WooCommerce (May 2020) are all on the roster of high-profile, attacked sites.
Mainstream attacks call for mainstream solutions
Client-side attacks are, as Gartner says, a mainstream problem — now with a solution that’s finally becoming mainstream. Source Defense brings its unique approach to JavaScript sandboxing to help create what Gartner has defined as a new market for Web App Client-Side Protection.
Gartner, an industry analyst firm that has followed infosec trends for decades, has identified and analyzed the Web App Client-Side Protection category within the Application Security market. In its recent Hype Cycle report, Gartner writes that the market for this new security focus is at the height of the hype cycle.
Gartner’s assessment is that, within the next two years or so, mass market adoption will be a reality. With mass market adoption will come many more vendors with different approaches for protecting the JavaScript on your website against the harmful code hackers try to sneak onto it.
Do you want to wait two years to start protecting your website?
Or would you rather start now?
Source Defense has been working on web app client-side protection since long before it went by that name. Our co-founders had studied the security and data breaches generated by website supply chain vendors they worked with. Finding no adequate solution in the market — or even much of a market — they formed the company and started working on a solution.
As the leader in this space, Source Defense is now protecting nearly a billion site visits and transactions for some of the largest companies in the world. Not only have we thwarted and removed the risk of client-side attacks for these early adopters, but we’ve also prevented nearly 1.5 billion violations of security and compliance policies.
Your turn
Based on what we’re hearing from leading brands in retail, financial services, healthcare, hospitality, ticketing and other sectors, we agree with Gartner’s assessment about mass-market adoption. We think that Source Defense is the right solution at the right time for a nasty problem that will only grow nastier.
Client-side attacks are mainstream because they’re inexpensive to the attacker, they’re persistent and most companies are not looking out for them. But you don’t need to tackle them on your own. Request a demo to see Source Defense in action for yourself.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
