E-commerce networks attract bad actors. Credit card details, passwords, financial and personal information are now regularly stored by third-party cloud providers. These cloud providers’ networks, which interact with the internet, are more vulnerable than most organizations realize. Cybercriminals use various techniques to try to compromise third-party networks, get hold of personal information and use it for malicious purposes. Enterprises unwittingly enable security breaches by leaving their digital assets exposed to a variety of cyber threats. Indeed, research shows that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88 percent increase from 2016.
In April, security researchers from Flashpoint revealed that hackers compromised at least a thousand e-commerce sites running Magento platform to scrape credit card details and install cryptojacking malware. This attack is not the first to target Magento websites and is yet another example of the rise in the number of cyberattacks focused on cryptocurrency-mining and malvertising as well as a reminder that any enterprise lacking a comprehensive, digital risk management program is at risk.
Keeping sensitive information out of the wrong hands should be a priority for any business that runs a high volume of online transactions. Most organizations’ traditional defense tactics like antivirus, firewalls, blacklists, etc., are proving woefully inadequate in countering hackers’ ever-more sophisticated methods. Therefore, these organizations need a more comprehensive digital security strategy, one that includes an in-depth review of parties in their digital ecosystem, as well as proactive, continuous monitoring and analysis of all their activities.
Web Scraping
Web scraping is the process of using software tools such as bots to extract targeted information en masse from the internet and storing it locally. The process of web scraping includes siphoning website data into a database, where it can be analyzed or repurposed for the web scraper’s own website.
To be sure, web scraping is used for legitimate purposes like accruing weather data, real estate listings, social media postings, market statistics, etc. However, its reputation over the past few years has deteriorated. Although a great number of individuals and companies use web scrapers, such tools pose a danger to the companies whose websites are scraped, like social networks and online stores. If those databases are compromised, malicious actors can effortlessly steal sensitive information on the web and use it for malicious purposes such as installing malware, sending phishing emails, and mining cryptocurrency, to name a few.
Websites at Risk
The retail and hospitality industries have a long history with point-of-sale systems compromises and web scraping malware. But they aren’t alone. Other industries, such as government and healthcare, can also fall victim to those threats.
E-commerce websites have turned into an attractive target for cybercriminals because not only do they collect payments but they also use consumer data to personalize the experience. So, too, have government, healthcare, and charity websites, where consumers enter sensitive information and make payments. However, one of a website’s significant sources of risk are the direct and indirect vendors that support it and collect information on its visitors/users for a variety of reasons.
Indeed, attacks orchestrated through an unknowing accomplice such as a third-party digital vendor are a problem for traditional application security tools, which can typically only monitor code provided by direct vendors. This is a problem considering a majority of website code is provided by third-party sources such as content recommendation engines, customer identification platforms, data management platforms, social media widgets and video players. As a result, only the owned and operated website code is scanned, reviewed and deemed safe, leaving some areas in the network unprotected and available for anyone to exploit.
Cyber criminals leverage corporate websites to drop malware on site visitors – often including employees – that mines for system vulnerabilities and siphons valuable customer data or redirects consumers to alternative and possibly competitive sites. In addition, attackers use compromised website code to drop and launch a malicious cryptomining code onto users’ machines.
When it comes to cryptomining and malicious third-party code the industry’s focus is on the attacks and compromised devices rather than the root cause. These attacks are but a symptom of a deeper problem within the digital ecosystem. Lacking full visibility into the code rendering on their websites and mobile apps, enterprises don’t know when and how a compromise occurs. Without an in-depth review of all digital partners, it is near impossible to control what happens in the browser call chain.
Best Practices
Cryptomining and scrape payment security incidents further emphasize the need to expand and adapt vendor risk management programs for today’s digital-first economy. Data privacy laws are being enacted that will penalize companies for their lack of partner knowledge as well as not taking every precaution to secure consumer data.
To protect a website operation and users, organizations need to invest in security measures that ensure this dynamic environment is safe from compromise. This means a thorough and ongoing review of all code and vendors used to render the site on consumer browsers – both front-end services like image library and product recommendations etc., and back-end services like CMS and content delivery networks.
The best defense is continuous identification and monitoring of third-party vendors – be it basic password and configuration failures or more complex third-party code manipulation – to catch the moment of compromise before significant harm is unleashed. This includes from the user’s point of view to detect security, data privacy and quality issues that could negatively impact their experience and lead to brand damage.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
