By Source Defense

Cybersecurity’s historical obsession with server-side security is blinding too many organizations to an attack vector that has the potential to destroy customer trust, ruin brands, and cost tens to hundreds of millions of dollars in fines and judgments. 

The JavaScript running on your customer-facing sites — whether it be the first party code your teams have implemented or the likely dozens of 3rd, 4th, and 5th party scripts that your supply chain partners run on your site — opens the door to client-side attacks like Magecart, formjacking, digital skimming, and credential harvesting.

In 2020 alone, there were 425 of these attacks per month. This is a nearly ubiquitous threat vector impacting more than 95% of the websites in the world. Sounds like another hornet’s nest to deal with, right? It is – but plugging this gap is probably the easiest thing you’ve ever tackled in your career. 

The COVID-19 pandemic ushered in a new normal where consumers are flocking online to conduct their financial business, conduct eCommerce, book travel, schedule recreation, etc. And with the barrier of entry for cybercriminals being so low, the volume and pace of client-side attacks will only heat up. Now is the time to consider web app client-side security and protection against these attacks.

Rapid Increase In Attacks

Since the first reported Magecart attack in 2014, there have been millions of successful client-side attacks. By 2018, client-side attacks were growing 72 percent year-over-year. Today, client-side attack kits can be purchased on the dark web and have increased significantly in their complexity, leading to a regular drumbeat of alerts and warnings from the FBI, PCI Council, and the Department of Homeland Security.

To date, the victim list of client-side attacks reads like a who’s who of online brands in eCommerce: Macy’s, Ticketmaster, BestBuy, British Airways, Claire’s, Warner Music, and Mission Health, among many others. No organization, regardless of industry or security budget, is immune to client-side attacks. Why?

The answer to why client-side attacks are relatively easy to carry out and are becoming more rampant by the day is simple: Attackers compromise source code (usually Javascript, which has complete access and control to your webpage Document Object Model (DOM)); malicious code is then executed in the client browser, and data is exfiltrated before it’s ever sent to the server. They’re stealing data at the point of input – right out of your online forms!

So unless you have visibility into all of the 3rd party Javascript  running your advertising plugins, analytics, social media, payment card processing, or contact forms, your enterprise is at risk. These 3rd, 4th, and 5th party vendors have extended your security perimeter beyond your security team’s control. You are left to trust that every time your business loads a webpage for a visitor, none of the 3rd parties in your digital supply chain are compromised or loading malicious code.

The same applies to your first-party code, such as file hosting, content delivery networks, and open-source Javascript libraries. What scripts are interacting with form fields on specific pages? What scripts listen to keyboard events, and do they need to do that? These rules must be enforced in real-time in the web browser.

Firewalls and WAFs Don’t Cut It – Source Defense Offers the Solution

One of the most common misperceptions among security professionals is that their firewalls and web application firewalls (WAF) should handle the problem of client-side attacks. Not true. Security tools like WAFs are designed to handle inbound threats to the web server. Javascript access to the web page DOM takes place outside that security perimeter.

With Source Defense Protect, you have a simple, effective, easy to deploy, easy to manage solution to the client-side security problem. 

Source Defense forces 3rd party scripts to load within a virtual page isolated from the client-side. This isolation allows 3rd parties to behave in a controlled environment, enabling Source Defense to permit or deny behavior based on best-in-class security protocols, data privacy policies and standardized rules we have in place.

The virtual pages are an exact replica of the original pages, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original page. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the eCommerce website owner, alerting them of the 3rd party scripts that violated their security policy.

With client-side attacks on the rise, ensuring that your customer’s payment and personal information are protected should be a priority if you want to avoid the implications of a data breach. 

Source Defense Protect can secure your website from the growing threat of Magecart, Formjacking, and other digital skimming cyberattacks:

  • Isolating scripts from the page
  • Evading harmful activities
  • Applying best practices 
  • Securely enhancing websites
  • Keep benefiting from 3rd parties

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.