After a year of lockdowns, quarantines, and social distancing companies and consumers alike have embraced online business like never before. According to Digital Commerce 360, US eCommerce saw a 44% growth in 2020 (US Ecommerce Report) and a current Longwoods International report shows that 87% of American travelers have travel plans in the next 6 months (Longwoods Intl Report). 

After a 45% decrease in total travel spending in 2020, the U.S. Travel Association predicts a return to pre COVID numbers by 2024 (Travel Forecast Fall 2020) and after the May 1st vaccine goal set by the current administration, over half of respondents in a Harris Poll survey say we will “return to normal” this summer (Harris Poll). With the CDC recently lifting some mask mandates those 60% of respondents look to be in the right about our “normal” returning. 

The increase in eCommerce and the return to normal for travel introduces more opportunity for an attack looking to increase its own footprint in the travel world. Magecart. The foundation .of a Magecart attack is JavaScript; the language that makes web pages interactive. These attacks exploit JavaScript’s native access to a web site to skim, insert, or change elements on that site. This is used to read payment information, add images or text fields, or change text, pictures, or links on the site to steal information and negatively impact the visitor experience.

The use of JavaScript since April 2020 has risen from just under 95% (94.6%) to over 97% (97.2%) according to (Image 1). As JavaScript usage increases and as new innovative ways to track, convert, and serve website visitors come to market, the risk of an attack grows as well.

The Numbers

We took a look at 10 different travel sites to analyze their JavaScript usage and how it correlates to what the Source Defense platform sees on a daily basis. The sites are made up of two airlines, four resorts, two vacation rental companies, and two cruise lines. Here’s what we saw:

  • 339 Total Scripts
  • 122 Total Unique Scripts
  • 34 Scripts per site – average

Of those total scripts we found:

  • 33 Unique Marketing Services
  • 22 Unique Analytics Services
  • 16 Unique Advertising Services
  • 8 Unique Social Media Services

When comparing those numbers to the Source Defense platform as a whole we find:

  • 180mil violations recorded by Social Media Scripts
  • 94mil violations recorded by Analytics Scripts
  • 17mil violations recorded by Advertising Scripts
  • 4.7mil violations recorded by Marketing Scripts

(measured using top 10 scripts over 14 days and 114.83mil page views)

It is important to note that violations do not mean attacks. Many of these violations, as we discussed in our Data Leakage Blog, relate to eavesdropping on data entered into fields. The eavesdropping is not malicious per se, but can be in violation of data privacy regulations in some states and is therefore blocked by the Source Defense platform.

What is interesting about these numbers is the low volume of Social Media services being used compared to the high number of violations we see out of those same services. At around 1.5 violations per page view, Social Media services are still the biggest violator we see in our platform. These violation numbers conform to what is known about these companies. Social Media companies are more data warehouses than wall posts and like buttons. Gathering that data, through legitimate means or through access not explicitly denied, is part of their identity.

If we contrast Social Media services with Marketing services we see that 10% of scripts are made up by Marketing services but only 1.3% of violations recorded in the Source Defense Platform come from Marketing sources. The rampant data hoarding seen in Social Media companies is not present in many of the Marketing services monitored by the Source Defense Platform.

The Takeaway

We’ve looked at how travel is on it’s way back to pre-pandemic numbers over the next couple of years, and how the usage of JavaScript is increasing even since mid-pandemic. We’ve also seen how certain travel sites and industries are using JavaScript to serve visitor and business needs alike. The violation trends seen here do not show any signs of slowing down, unless of course, your site or your preferred resort/airline/cruise line/vacation rental is using the Source Defense platform to protect data from getting into the hands of the wrong people.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.