How Your Company Commits Accidental Cybercrime

Websites used to be pretty simple: plug some boilerplate HTML together, host it on a domain, and see the traffic trickle in. However, as search engines and the tech-retail landscape has evolved, sites have become increasingly complex. Many customers now rely exclusively on a company’s site, browsing products and communicating about requirements and issues at will. The expectation is for company websites to be clean, relevant and always open. Thanks to this evolution, even the most basic, free-to-set-up site is bursting with dynamic code today.

This is how cyber criminals take advantage of you and your customers; and how a Web Application Firewall (WAF) can shut that practice down for good. 

Third-Party Scripts: Vital yet Deadly

Traditional HTML websites are – on paper – fairly simple to piece together. With no concerns around user input, HTML sites look totally the same to every single viewer. Every page is its own entity, making the process of changing content far more tricky – change one thing and the whole lot could come tumbling down. Whether your viewer is from the US or Japan, the site will not reflect any differences.

Dynamic design sites, however, are a little different. Dynamic websites hold a database of content, also called CMS. This can be easily updated and switched at will, meaning that there’s no impending HTML catastrophe after every blog post. The design and formatting of each page will often be automatically streamlined. Languages and location-specific sites can detect a user’s country from their IP address, and automatically display the most relevant content. All in all, a dynamic website offers a far more sleek, professional finish to your website of choice.

These user-specific changes are handled through the coding language JavaScript. This is a language that focuses on dynamic objects, which not only creates great user-specific sites but also produces incredibly adaptable plug-and-play add-ons. These third-party JavaScript modules carry a huge weight of responsibility for many eCommerce sites. Basket and checkout functions are regularly handled by JavaScript addons, and when properly implemented, can greatly streamline your customer purchase funnel.

Don’t underestimate the ubiquity of these scripts. Site owners use these third-party scripts for almost everything: integrating shopping carts; producing dynamic forms; showcasing social media buttons; tracking visitors, to name a few. These scripts are available, usually at no charge, from a wide variety of sources, including cloud providers, social media companies, and open source organizations.

However, a growing number of these third-party JavaScript functions are becoming illicit fronts for cybercrime organizations.

Digging Deeper: Magecart’s Addons

From a site user’s perspective, it’s impossible to tell the difference between a ‘good’ JavaScript add-on and a ‘bad’ one. The difference only becomes clear a few days later, when their bank account is partially drained through fraudulent transactions. How does this happen?

One of the most popular forms of fake add-ons is those related to a basket purchase. It’s totally logical: there’s no better spot to insert a credit or debit card skimmer. Ticketmaster discovered this in 2018 when notorious cybercriminal group Magecart attacked thousands of loyal customers.

In the form of a supply chain attack, Magecart breached some of Ticketmaster’s third-party site plugin suppliers, including the AI live chat features provided by Inbenta and Sociaplus. From there, they added their own custom JavaScript modules to these plugins’ pre-existing code. This malicious code tracked and reported the credit card details of every payment made through the Ticketmaster site.

Other eCommerce sites – including Magento, WordPress, and OpenCart – felt the effects on their own customers; almost 10,000 Magento sites alone were found to be hosting this malicious code. This had incredibly wide-reaching effects on legitimate customers, totally destroying that hard-earnt brand trust. Unfortunately, this type of attack means that the cybercrime group can profit off their victims – and the legitimate business takes the fall for the attack.

This type of attack occurred once again earlier this year; this time, the affected third-party tool was a cloud-based video player. Embedded videos can be incredibly important for particular industries, including engineering and real estate. Hosted on an open-source platform, the attackers coded a video player and injected it with skimmer JavaScript code. Whenever a business imported this video player onto their own site, their site picked up and amplified the power of this skimmer attack.

Managing the Third-Party JavaScript Risk

To keep up with ecommerce competitors, Third-Party JavaScript add-ons are almost essential. Unless your organization has the disposable cash to spend on fully-bespoke code, an ecommerce site simply cannot do without third-party software.

With this in mind, you’re responsible for protecting both your business and your customers. Alongside careful research of each plugin, there are two external tools available that will help keep any attackers out, even if one of your plugins becomes compromised at its source.

The first and most important tool is a Web Application Firewall (WAF). This monitors the internet traffic flowing in between your site and the public-facing internet. It allows you to rapidly create and change the rules for which HTTPS requests your site fulfills. With minimal latency, a WAF simply filters your traffic, cutting out attackers from the get-go. It’s also possible to detect and filter individual pieces of web requests, meaning it can detect if card details are coped and extracted from your site. These requests – once blocked – immediately prevent credit skimmers.

The last tool in your arsenal is Runtime Application Security Protection. This is a server-hosted piece of tech that monitors the behavior of an application. Whereas a WAF sits at the perimeters of a server, and can cut the link between a cybercriminal and their malicious code, RASP automatically detects – and prevents – malicious pieces of code such as keyloggers and card skimmers.

Together, RASP and WAF provide an incredible depth of security. They give real-time visibility and control over your web traffic, meaning you can see whether any of your plugins are compromised from the get-go. Whether on-premise or cloud-hosted, both of these tools greatly bolster your site’s defenses – for the benefit of your own organization and your customers.

Was it worth reading? Let us know.