“Fantastic invention,” says Willy Wonka, as portrayed by Gene Wilder. “Revolutionize the industry. You can suck ‘em and suck ‘em and suck ‘em, and they’ll never get any smaller. Never. At least, I don’t think they do.”
We couldn’t help thinking about Willy Wonka’s Everlasting Gobstopper when news broke two weeks ago about the breach of more than 500 e-commerce stores running Magento. After all, client-side attacks by groups like Magecart have been running rampant for years, and for at least a decade, retail breaches seem to be like an everlasting gobstopper – they’re always there and never seem to get any smaller.
Vendors like Source Defense have warned and warned about the problem of formjacking, digital skimming and credential harvesting. But while our adversaries won’t ever let up, there is a way to make the gobstopper go away – it is called web application client-side protection, and it is easy to implement with virtually zero burden added to your already burdened security teams.
The Latest Evidence that Client-Side Attacks Need to be a Top Priority
There’s nothing wrong with running a Magento site for your e-commerce. But there’s everything in the world wrong with thinking that vulnerabilities won’t emerge, or that server-side protections such as WAF are enough to call your site secure. The Magento 1 platform, which has not been supported since June 2020, was the target of the above-mentioned attack. (We should say “is the target of the attack,” because we’re confident that the out-of-date Magento 1 is still running on 50-100,000 sites worldwide.)
What is the objective of the attack? To steal credit card information as your customers enter it on the checkout page. How does the attack work? By abusing a known vulnerability in the Quick View plugin.
That kind of retail breach is the Everlasting Gobstopper of cybersecurity. It’s an evergreen problem that will never get any smaller – at least not without implementing client-side controls.
Remember the 2013 Target breach, when hackers installed malware on point-of-sale devices and stole track data from as many as 40 million holiday shoppers? In the security industry, we thought, “Finally! A watershed moment! Now retail will wake up and really take action to secure consumers’ information.”
Yeah, no.
Nine years later, we’re still seeing retail and ecommerce attacks because there are so many more ways to launch them and so many more transactions. Adobe estimates that e-commerce accounts for $1 of every $5 spent by U.S. consumers — up from $1 of every $6 in 2017 — heading for a trillion dollars in transactions in 2022.
Stop Client-Side Attacks: Keep them on your radar and deal with them once and for all
This most recent Magento 1 attack fits in with the crescendo of Magecart conversations we’ve been hearing, starting last summer, continuing through 2021 and into 2022. It has brought about a major upswing in focus on client-side protections and led to Gartner initiating coverage of technologies like Source Defense. Gartner refers to this new space in the application security market as web application client-side protection. They’ve written that it’s at the height of the hype cycle and that mass market adoption will start within the next couple of years. About time considering these attacks have been happening literally by the hundreds per day over the past two years.
Cybersecurity will have gone an entire decade before taking JavaScript exploits in e-commerce seriously.
“Better late than never,” we say.
Ever since a website first asked for credit card information, there has been temptation and opportunity. Your adversaries will never go away, because there’s too much money in play. They know that attention spans are limited and vision is narrow when it comes to cybersecurity.
The risk will always be there but mitigating the risk should now be a top concern for your teams. Making the case for this focus is easy when you consider the following:
- Massive Growth in the Digital Supply Chain — Your traditional business functions depend on a physical supply chain for everything from raw materials to order fulfillment. Your e-commerce site depends on a digital supply chain for code, forms, images and plugins that enhance the user experience, support transactions, and collect customer information. Most e-commerce sites have dozens of 3rd or 4th parties involved in the supply chain – each of which introduces the potential for client-side attacks given their use of JavaScript. You wouldn’t do business with a shipping company you didn’t know and trust, yet your website is doing business with code from providers you don’t know. Or trust.
Laying in a client-side security solution takes the risk off the table and supports your overall move to
zero-trust. - Client-Side Risk is 3rd Party Risk — When you think about first parties (your employees), second parties (your customers) and third parties (suppliers and business partners), isn’t it the 3rd-party risk that occupies most of your attention? Aren’t you spending millions to address this risk?
Your e-commerce site is loading 3rd party (and nth party) JavaScript over which you have no control. Your adversaries know this and are using this fact to their advantage by targeting these partners as their vector of attack. There couldn’t be a more clear example of a 3rd party risk that you need to mitigate.
Take this conversation to your next meeting around 3rd party risk – and watch client-side security shoot up the priority list. - Simple, Effective, Low Burden Client-Side Security — Adding a new priority to your already massive priority list sounds hard, sounds like it carries a huge price tag, and sounds like you’re going to have to hire more people in a world where you’re already understaffed. The good news is that isn’t the case when it comes to working with Source Defense.
Source Defense has invented a prevention first – vs. detect and alert – client-side security platform that is easy to deploy, doesn’t burden your teams with more alerts, and is typically managed with fewer than 5 hours per month.
The most important step in securing the digital supply chain and mitigating 3rd-party risk is to prevent attacks before they occur. Source Defense is designed for just that: preventing attacks in the first place. With real-time sandbox isolation and reflection, Source Defense ensures that none of the JavaScript running on your sites – whether 1st, 3rd or nth party – can be used as an attack vector.
Find out more about Source Defense and its easy deployment, low burden on security staff and minimal management requirements.
Try our free, non-invasive website risk report today and deal with the Everlasting Gobstopper once and for all.