Your use of third-party applications keeps you in business. But what else is happening behind the scenes?
According to a 2020 global security report, Retail is the most targeted sector for cyberattacks. As an eCommerce vendor, this should hardly raise any eyebrows. After all, threat actors recognize that some of the most sensitive customer information is entered into online shopping websites, such as credit card data and a whole wealth of personal credentials, and this data can be seriously valuable.
However, as security teams continue to focus their attention on the server-side, one of the most prevalent risks is looming outside of their line of sight — on the client-side.
The rise in usage of third-party digital applications
Today’s merchants are by no means an island. To power their businesses and their online stores, a wide range of third-party digital applications are working around the clock, and behind the scenes. From analytics and tracking, to social media widgets, payment processing, advertisements, and dynamic media — the average eCommerce site can have as many as 60 third-party applications, which to the website visitor, appear inseparable from the website itself.
As these digital applications are owned by third-parties, they are usually loaded externally, and can be modified continuously and dynamically, superseding or even bypassing security controls entirely. Overwhelmingly, these digital apps run on the client side, which means they are invisible to Web Application Firewalls (WAF), or Intrusion Prevention Systems (IPS). See where we’re going with this?
When these third-party application environments are compromised, which can happen through anything from a cyber-attack on their own systems, to a simple expired domain that gets bought by a threat actor — you’re providing the attackers with an open door to your own customer environment through code injection, modified scripts, form jacking, and more. In February this year, more than 350 eCommerce stores were infected with malware in a single day, after a Magecart attack that left the attackers a whopping 19 backdoors on investigated systems. This was achieved through a vulnerability in the QuickView plugin, a tool meant to make it easier for shoppers to see product information at a glance.
Protecting the client-side
The growth in these kinds of attacks is gaining industry attention fast, leading to improved regulations such as the PCI-DSS update for v4, which specifically calls out a new requirement for a “change and tamper detection mechanism” for payment pages on retail websites. While many businesses will rely on Content Security Policies (CSP) or client-side Web Application Firewalls, these leave many gaps in a business’ security posture, and involve a lot of manual work to keep up to date, without providing the visibility necessary to secure such a dynamic and complex environment.
Want to learn more about this essential topic to ensure you remain secure and compliant? Reflectiz’ CEO and co-founder Idan Cohen is being joined by VP cybersecurity at BigCommerce, Dan Holden to discuss this issue in depth on Cyber Thursday, Thursday May 19th 2022. The panel will discuss:
- The growing risk of the client-side, and why traditional security tools fail to visualize and mitigate effectively.
- The role of client-side protection tools in fighting Magecart attacks, and ensuring privacy regulations are met
- The case study of BigCommerce, and how this shopping giant protects its 60,000+ merchants online
The event is open to all RH-ISAC members and retail or hospitality cyber security practitioners, and will be moderated by Byron Hundley, VP Intelligence Operations at RH-ISAC. You can register here to save your seat!