Visiting a website today, users gain access to a rich, interactive experience that is often customized to their preferences and enhanced for their convenience.
For example, a user could have the most relevant offers shown on a travel booking website because he had sought them out recently.
Behind such a unique, personalized page, however, are dozens of third-party scripts that run services and access data from various sources, often in real time. These are elements of any modern webpage.
The bad news is that these scripts are also a new attack vector being exploited by cyber attackers. By compromising these legitimate scripts, they can inject malicious code into websites that steal information from unsuspecting users.
Perhaps none is more infamous than a hacker group called Magecart. In the past two years, it has targeted online shopping cart systems to steal customer credit card information from airlines, ticketing services, retailers and even campus bookstores.
These attacks are like card skimming operations of old, when thieves would attach card readers to payment terminals to read information from credit cards’ magnetic stripes.
Today, things have gone digital. Hackers compromise third-party scripts used in online shopping carts, stealing that credit card information that users key in to pay for a purchase.
The old, and new, threat
In January 2020, Indonesian police and Interpol arrested three suspects linked to the Magecart group, though many are still at large.
Meanwhile, its scripts are still infecting sites and helping criminals to steal credit card details. What makes something like Magecart hard to stop is the wide use of third-party scripts as well as the complex supply chains involved in today’s websites.
By infecting some of these third-parties, hackers can bypass typical Web application firewalls (WAFs) and execute their legit-looking code on an end-user’s machine. Since this happens on the user’s browser, this is often invisible to traditional types of protection.
Some attacks also involve sophisticated scripts, which are disguised as part of a developer’s tools or other network traffic.
In an attack on online retailer NewEgg, hackers took the trouble to hide the Web address they were pointing to by subtly misspelling a real site. Unless a cybersecurity team was pulling apart the code, it was hard to find.
Keeping out the bad guys
So prevalent is the problem that some websites get re-infected within days of a cleanup. Some 21 per cent of breached online stores were infected multiple times, even up to 18 times, according to the Sansec Threat Research Team.
Clearly, countermeasures need to evolve to tackle this persistent threat. Many of the solutions deployed today lack the required capabilities.
Let us start with content whitelists. While these may keep out some first-party bad scripts, it will struggle to control third- and fourth-party scripts from various origins. Plus, it is labor intensive to keep track of all the different scripts.
Then there is synthetic site scanning. This is also limited in its capabilities because many modern websites are personalized, so the content is different when served up to each user. There is no guarantee what is presented on a site is safe.
A third way is access control or sandboxing. This may work for simple sites but those that use personally identifiable information (PII) and make use of third-party scripts may find that this requires a lot of manual testing.
Looking at behavior
What will work better is in-depth detection. Instead of focusing on what is on a page, it is more important to examine what each of the scripts is doing.
This means automatically inspecting these third-party scripts, for example, whether they are supposed to be accessing form or credit card data.
Akamai, which runs an intelligent edge platform, offers a Page Integrity Manager solution that provides a behavioral approach to script protection. It is designed to detect malicious script activity, protect the integrity of webpages, and safeguard businesses.
It takes a detection-first approach so that website owners can quickly mitigate compromised scripts and update policy controls to stop zero-day attacks and recurring attacks.
Deployed in minutes, it immediately starts analyzing script behavior. When malicious behavior is detected, website owners get immediate, critical alert notifications that can be mitigated with a single click. To understand the potential risk breakdown of your website, you can request for a free custom report here.
As websites become more complex in future, such a tool can help in keeping out malware that takes advantage of loopholes that are hard to find.
For website owners, this means overcoming these vulnerabilities quickly and avoiding the fallout of a data breach that could seriously damage their brand and trust with customers.