3 Third-Party Application Security Insights of the Last Years

WOW, 2019 was a busy year, but if you look at the decade that ended recently, it was hectic!

For the beginning of the 2020’s and to celebrate the end of the second decade, we’ve collected 3 of the most influential and interesting web third-party events. It was a hard choice, but eventually we picked three milestones, each demonstrates a turning point.

Magecart Notable Breaches and Media Recognition

Our first choice is almost inevitable. It refers to 3 of the most noteworthy breaches. Each occurred as a result of a supply-chain attack and involved a at least one compromised third-party component. All attacks were conducted by one of the Magecart groups. The first and most famous breach is British-Airways. Though this huge breach happened by mid-end 2018, the company is suffering an ongoing damage out of it, as it recently involved a $230M dollar fine from the British ICO – the UK privacy watchdog. The second breach, also by Magecart, is off-course the Ticketmaster attack, involving a third-party US company called Inbenta. What’s interesting in this case are the mutual allegations between the companies. The third breach is the famous Newegg case which came right after the British-Airways attack. That online skimming attack was a long one! It occurred from mid. August 2018 until September 18^th that year. Ever since these three attacks, the Magecart threat actors have dramatically evolved, leaving behind tens of thousands of compromised websites.

According to researchers, Magecart has been around for almost a decade, with 7 to 12 active groups responsible for tens of thousands of supply-chain attacks. But it was only by the end of 2018 that notable media outlets such as Wired magazine put Magecart on the map. Interesting enough and along with human characters like President Donald Trump, Vladimir Putin and Facebook’s Mark Zuckerberg, Wired magazine named MageCart as “one of THE MOST DANGEROUS PEOPLE ON THE INTERNET IN 2018”. Another significant mention from other media authority comes from ZDNet. Though we’ve mentioned it in a previous post, it is too important to ignore, as the magazine names Magecart as one of “The most notable cyber-security events of the 2010s”.

Read more about these horrific Magecart attacks, by Fahmida Y. Rashid, Duo.com: Magecart Group Refines Attacks, Nabs More Sites

Read more about Magecart’s media recognition:
An article by Catalin Cimpanu, ZDNet: A decade of hacking: The most notable cyber-security events of the 2010s;
Wired Magazine: The Most Dangerous People on the Internet in 2018

Pipka: Evolving Sophistication and Imitators

Our second choice refers to a new dimension of supply chain attacks, one that brings not only more sophisticated attacks, but also more devious methods. Whilst Magecart attacks made serious headlines, we noticed that more attackers have started not only to imitate this methodology, but also to improve it. The recent Pipka malicious JavaScript is a living proof of it. Pipka was discovered by VISA’s Payment Fraud Disruption (PFD) and was first detected on September 2019. At first glance, it may work like other supply-chain attacks on websites, but once the compromised code is served to the end-user, it behaves differently. Interesting, once it has been executed, the malicious JavaScript skimmer actually removes itself from the attacked website and vanishes.

According to CISO Magazine “Visa says that it has not seen anything like this before and it’s a proof that cybercriminals are getting more sophisticated in the way they are carrying out attacks by the day.” Nevertheless, the issue here is not about Pipka, it is about the evolution of client-side attacks and JavaScript exploitation. Obviously, this is just a sign and it certainly isn’t the last word.

Read more about Pipka on CISOMAG: “Pipka” JavaScript Skimmer Targets Ecommerce Websites

Third-Party Privacy Risks

Privacy issues have been with us from the early days of the Internet. Over the last decade and with emergence of new regulations like the GDPR and CCPA, it has become a concerning issue for many organizations with online presence and for us, as site visitors. Facebook’s Cambridge Analytica breach made huge headlines and also boosted the awareness to privacy violations dramatically. When you look at any website, Facebook and other advertising platforms like Google Ads, Twitter and Taboola, are most likely embedded. Ad platforms are not alone in this game. Social addons like Oracle’s AddThis, engagement tools as Optimizely or Hotjar, and other components like Modernizr are all an integral part of websites today. Each of these thousands of scripts are an installed third-party or a fourth party that tracks your users, and in some cases even involve personally identifiable information (PII). This raises serious privacy concerns, especially as it all refers to external vendor code that in many case shares PII by default. Organization today are obliged to comply with regulations and the latest Fashion ID case that named the retailer as controller is a lesson to be learned. From a branding reputation perspective, they should also show that they care about their users’ privacy. The problem in this case is tracking. But this time the tracking refers to the vendors’ code that is installed on your website and running on users’ browsers. Inevitably, these days, websites need to monitor their installed third-parties to make sure they comply with tightening regulations to avoid fines and penalties.

Read more: An article by Dan Swinhoe, CSO: The biggest data breach fines, penalties and settlements so far

What’s Next?

You are probably wondering what’s our prediction for the next couple of years. To start with, websites and digital assets as a whole will have no choice, but to use third-party apps. The demand will grow, the supply will also grow and the interdependency will increase. Why? Simply because that’s how it works.  

Our analysts assume that two major trends will lead the way: growing privacy demands and evolving sophistication in supply-chain attacks on websites and digital assets.

Privacy Concerns: We believe that new regulation will play a major part in websites architecture. The GDPR and CCPA is a live proof for the power of states, not only with higher fines, but also with more demands for disclosure towards end-users. There will be more emphasis on what each third-party component does, what’s impact it has on the users and most importantly – organizations will have to show more social responsibility. Not only from legal perspective, but also from a branding and reputation point of view. This is where it all begins.
The future of online supply-chain attack: The second prediction refers to the nature of supply-chain attacks on websites and online skimming. As we all know hackers are always seeking for new back-doors and third-party code is definitely one of the most effective tools for them. We believe there will be a higher level of sophistication, and the Pipka malware is just the beginning of it. Be aware!