Latest Verizon Data Breach Report: Retail is an Easy Target for Web Application Attacks

By Source Defense

The theft of payment card data from retail organizations is on the rise, with 18 percent of breaches attributable to Magecart attacks, according to Verizon’s 2023 Data Breach Investigations Report (DBIR) released June 6. This shouldn’t come as a major shock given Visa’s recent warning of 176% rise in these attacks over the past 6 months, or Recorded Future’s warning that as many as 10,000 sites were actively compromised last year. Yet, it doesn’t seem like enough is being done to cut these attacks off at the source. That’s why we’re doing everything we can at Source Defense to change that reality…keep reading… 

The 2023 DBIR examined 16,312 incidents, of which 5,199 were confirmed data breaches. The Retail sector suffered 406 incidents, 193 with confirmed data disclosure. System Intrusion, Social Engineering, and Basic Web Application Attacks represent 88% of breaches. The data compromised included Payment (37%), Credentials (35%), Other (32%), and Personal (23%) (breaches).

“Retail organizations continue to be lucrative targets for cybercriminals looking to collect Payment card data,” the report states. “We are seeing a relatively large increase in Payment card data stolen compared to last year,” the report states, characterizing the attacks as “a tried-and-true method of monetizing data.”

According to the Verizon report, Magecart – or Digital Skimming – attacks accounted for 18 percent of retail data breaches. These attacks are designed to skim information entered into payment forms on checkout pages before sending data back to a remote computer controlled by attackers. Attackers accomplish this by compromising the third- and fourth-party Javascript code used by nearly all websites to provide things like online shopping carts, forms, analytics, advertising, social sharing, and much more.

“These criminals find ways of embedding their malicious code within your site’s credit card processing page. This allows them to quietly and subtly abscond with your customers’ payment data without actually affecting the functionality of your website,” the report states.

Verizon’s analysis of just payment card breaches in the Retail sector found that 70% of breaches originated from Web applications, 17% from Gas terminals, and 8% from PoS Servers. 

“This once again illustrates how e-commerce has made it way too easy to get what you want, including stolen credit cards,” the report states. “If you are looking for some added incentive, it’s worth mentioning that by the time our 2024 DBIR is published, you should all already be compliant with Payment Card Industry (PCI) Data Security Standard (DSS) 4.0.”

Source Defense recently announced the launch of a FREE PCI DSS 4.0 Compliance Support Solution. The solution is immediately available for the millions of merchants who must comply with PCI DSS and the QSAs that serve them.

Make Magecart Attacks a Thing of the Past

The Source Defense Client-Side Web Application Security Platform is an all-in-one, single,  and scalable system built for complete threat visibility, control, and prevention of client-side attacks – like MageCart, Digital Skimming, formjacking, credential harvesting, etc. With this one-of-a-kind technology, client-side threats are stopped in their tracks without your teams needing to lift a finger. Source Defense uses a prevention-first approach and real-time JavaScript sandbox isolation and reflection to prevent client-side attacks without having to alert analysts. 

Source Defense uses real-time JavaScript sandboxing technology to create virtual pages that isolate the 3rd party scripts from the website. The virtual pages are an exact replica of the original ones, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original one. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the website owner, alerting them of the 3rd party scripts violating their security policy. 

This is as close to ‘set it and forget it’ security and data privacy that you will see on the market.

Cybersecurity analysts can rest easy at night — and engage in valuable activities during the workday — knowing that a critical portion of their job is being efficiently and automatically managed. Ultimately, the Source Defense platform offers a simple way to manage the 3rd party risk in your digital supply chain and prevent attacks from the client side.Waiting to act is simply waiting to be attacked. Visibility is the first and most important part of any risk mitigation program. Source Defense is ready to provide you with a free website risk analysis within the next few days. Get moving with the Source Defense team to close off this open gap in your eCommerce security.