By Source Defense

Retail theft is rampant, with losses stemming from employee theft, operational loss, administrative errors, organized crime, and return fraud.

These losses have pressured retailers across the country to focus significant resources on locked product displays, security cameras, IoT sensors to track products, physical access detection solutions, autonomous security robots, license plate recognition systems, and artificial intelligence and machine learning systems to detect shopping carts and baskets that have not passed through a checkout lane.

What about online security?

Meanwhile, the most sophisticated criminals in the world continue to siphon tens of billions of dollars every year through digital back doors surreptitiously planted in e-commerce websites. Nearly 75% of fraud and data breach cases investigated last year by Visa’s Global Risk team involved ecommerce merchants. Digital skimming attacks targeting ecommerce platforms and third-party code integrations are common. 

An online shopping cart is an extremely valuable target for cybercriminals. All of the payment details from customers’ cards have already been collected and are waiting in one place for a hacker to come along with their malware and take it right out of the cart. Virtually all ecommerce websites do not thoroughly vet the code used by these third parties, making the job of a hacker quite simple.

Magecart and eSkimming attacks

The targeting of the client-side software supply chain—which commonly includes dozens of third- and fourth-party Javascript applications—shows no sign of slowing. Researchers posited that Magecart attacks had likely compromised some 38 percent of all retail websites. Magecart refers to a group of cybercriminals specializing in “skimming” attacks and payment card theft targeting the Magento shopping cart (which is now Adobe Commerce). 

Magecart attacks are designed to skim information entered into payment forms on checkout pages before sending data back to a remote computer controlled by attackers. This is a potential security nightmare for the ecommerce industry as virtually all resources during the next month will be focused on order completion and sales, not securing 3rd party software.

Last year, as the retail sector was in the midst of a massive post-pandemic surge in online shopping, cybercriminals targeted more than 500 e-commerce sites with a payment skimmer targeting a 12-year-old Magento 1 e-commerce platform, which Adobe stopped supporting on June 30, 2020. According to Adobe, more than 95,000 sites were still using the outdated platform.

Traditional security programs are not enough

No component of traditional security programs can prevent client-side attacks perpetrated via JavaScript. All it takes is for the third-party vendor to be hacked and have its code changed or for an internal developer to integrate malicious code, whether accidentally or intentionally. Retailers operating eCommerce sites have limited means to dynamically detect the change and no means using server-side security solutions to prevent it from exfiltrating data or executing other malicious activity from the customer’s browser.

The average ecommerce website uses dozens of 3rd party tools, with retailers saying they plan to add an average of 3 to 5 new 3rd party technologies to their sites annually. Instead of hacking the ecommerce websites themselves, hackers often attack the 3rd party plugins and use their Javascript to hitchhike the ecommerce website. 

Checking the security perimeter of an ecommerce site is just not enough. A website is affected by the security perimeter of all of the 3rd party tools it uses. Moreover, it has no control over what’s happening outside the 3rd party circle: there are 4th party circles, 5th party circles, and so on, that most website owners know nothing about. 

Despite this, ecommerce sites have exponentially increased their dependency on 3rd, 4th, and 5th party technologies, sharing confidential and sensitive information with a staggering 583 outside parties on average.

So while the retail industry turns its attention to additional physical security controls, cybercriminals are taking advantage of their biggest security blind spot—the website. In fact, our research show that a new online attack focusing on these client-side vulnerabilities occurs every 39 seconds. 

How Source Defense Can Help

Source Defense helps online retailers balance superb customer experience with critical security without compromising website performance or stability. We create virtual pages that isolate the 3rd party scripts from the eCommerce website. The virtual pages are an exact replica of the original pages, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original page. If not, we will keep their activity on the virtual pages isolated from the user, thwarting any malicious activity such as digital skimming. 

Source Defense protects your website from the growing threat of Magecart, Formjacking, and other digital skimming cyberattacks:

  • Isolating scripts from the page
  • Evading harmful activities
  • Applying best practices
  • Securely enhancing websites
  • Keep benefiting from 3rd parties

Waiting to act is simply waiting to be attacked. Request a demo of the Source Defense platform and get a personalized threat analysis for your business.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.