Websites used to be pretty simple: plug some boilerplate HTML together, host it on a domain, and see the traffic trickle in. However, as search engines and the tech-retail landscape has evolved, sites have become increasingly complex. Many customers now rely exclusively on a company’s site, browsing products and communicating about requirements and issues at will. The expectation is for company websites to be clean, relevant and always open. Thanks to this evolution, even the most basic, free-to-set-up site is bursting with dynamic code today.
This is how cyber criminals take advantage of you and your customers; and how a Web Application Firewall (WAF) can shut that practice down for good.
Third-Party Scripts: Vital yet Deadly
Traditional HTML websites are – on paper – fairly simple to piece together. With no concerns around user input, HTML sites look totally the same to every single viewer. Every page is its own entity, making the process of changing content far more tricky – change one thing and the whole lot could come tumbling down. Whether your viewer is from the US or Japan, the site will not reflect any differences.
Dynamic design sites, however, are a little different. Dynamic websites hold a database of content, also called CMS. This can be easily updated and switched at will, meaning that there’s no impending HTML catastrophe after every blog post. The design and formatting of each page will often be automatically streamlined. Languages and location-specific sites can detect a user’s country from their IP address, and automatically display the most relevant content. All in all, a dynamic website offers a far more sleek, professional finish to your website of choice.
Don’t underestimate the ubiquity of these scripts. Site owners use these third-party scripts for almost everything: integrating shopping carts; producing dynamic forms; showcasing social media buttons; tracking visitors, to name a few. These scripts are available, usually at no charge, from a wide variety of sources, including cloud providers, social media companies, and open source organizations.
Digging Deeper: Magecart’s Addons
One of the most popular forms of fake add-ons is those related to a basket purchase. It’s totally logical: there’s no better spot to insert a credit or debit card skimmer. Ticketmaster discovered this in 2018 when notorious cybercriminal group Magecart attacked thousands of loyal customers.
Other eCommerce sites – including Magento, WordPress, and OpenCart – felt the effects on their own customers; almost 10,000 Magento sites alone were found to be hosting this malicious code. This had incredibly wide-reaching effects on legitimate customers, totally destroying that hard-earnt brand trust. Unfortunately, this type of attack means that the cybercrime group can profit off their victims – and the legitimate business takes the fall for the attack.
With this in mind, you’re responsible for protecting both your business and your customers. Alongside careful research of each plugin, there are two external tools available that will help keep any attackers out, even if one of your plugins becomes compromised at its source.
The first and most important tool is a Web Application Firewall (WAF). This monitors the internet traffic flowing in between your site and the public-facing internet. It allows you to rapidly create and change the rules for which HTTPS requests your site fulfills. With minimal latency, a WAF simply filters your traffic, cutting out attackers from the get-go. It’s also possible to detect and filter individual pieces of web requests, meaning it can detect if card details are coped and extracted from your site. These requests – once blocked – immediately prevent credit skimmers.
The last tool in your arsenal is Runtime Application Security Protection. This is a server-hosted piece of tech that monitors the behavior of an application. Whereas a WAF sits at the perimeters of a server, and can cut the link between a cybercriminal and their malicious code, RASP automatically detects – and prevents – malicious pieces of code such as keyloggers and card skimmers.
Together, RASP and WAF provide an incredible depth of security. They give real-time visibility and control over your web traffic, meaning you can see whether any of your plugins are compromised from the get-go. Whether on-premise or cloud-hosted, both of these tools greatly bolster your site’s defenses – for the benefit of your own organization and your customers.