Source Defense’s client-side platform protects online businesses from data-stealing threats

Source Defense announced its new offering of Website in Page Protection (WiPP), as well as product enhancements and performance improvements to the VICE sandboxing technology within the Source Defense Platform.

WiPP’s added security benefits protecting eCommerce and other web interfaces from data-stealing threats arrive at a critical time, as online shopping is expected to increase dramatically this holiday season, along with online banking and demand for telehealth services.

The Source Defense Platform protects online businesses and their customers from automated attacks and client-side threats, and improves operational efficiency.

The latest platform release focuses on maximizing performance and effectiveness in protecting online customers’ website journeys and providing an additional layer of protection from malicious code and intrusions exploiting vulnerable software and third-party services behind the web storefronts of major retailers, banks and healthcare services.

As these sites rely on ever more third-party code to drive efficiency, data analytics and the user experience, it becomes increasingly difficult to detect and isolate attackers infiltrating web page supply chains to illicitly steal personal and financial information at scale.

Analyzing consumer buying habits during COVID-19, eMarketer research predicts a 10.5% decline in total 2020 U.S. retail sales, with a 14% drop in brick-and-mortar sales – but forecasts an 18% surge in eCommerce.

eMarketer’s online growth outlook expects increases in both the number of digital shoppers and the average spending per buyer. These gains also reflect the pandemic’s impact on how different age groups shop online, predicting a 12.2% increase for shoppers 65 and over, who may be less familiar with security threats and online scams.

Greater reliance on digital and contactless shopping during an ongoing pandemic creates vast opportunities for criminals following the money, as FBI cybercrime alerts continually illustrate.

“Every organization wants reliable threat intel that provides proof of their security tools performing, protecting, and delivering value,” said Source Defense CTO and Co-founder Hadar Blutrich.

“Monitoring and alerting are no longer sufficient ways to prevent Magecart attacks. By having the ability to detect and protect, Source Defense has made it easier for any business in any industry to implement our products and harness its power, allowing users to better fortify their websites from malicious threats today.”

The release of WiPP strengthens the Source Defense arsenal protecting websites from attacks originating from first-party code, insider threats, and vulnerabilities introduced by open source libraries.

Key benefits of WiPP include:

  • Protects websites from attacks originating within businesses’ own first-party code, vulnerable open source software libraries, embedded third-party integrations and more
  • Real-time detection & protection defeating efforts to escalate privileges and covertly manipulate site forms and data
  • Detailed analysis of script behavior, actions taken, and necessary permissions
  • Extension of organizations’ security perimeter across web properties, driving additional value from other existing security products, while protecting web apps from client-side attacks such as Magecart or formjacking threats.

“There is a large gap in security that’s formed in the protection chain that ought to extend to end users. As more of a website’s work is done within a user’s browsers, those applications are now more exposed in a no man’s land that attackers are all too ready to exploit,” said 451 Group Analyst Eric Hanselman.

Source Defense is an analyst-recognized pioneer and innovator of technologies that leverage machine learning, industry regulations and best practices to improve website security and efficiency.

The Source Defense Platform is a SaaS offering that monitors, detects and projects all aspects of Magecart attacks. WiPP sits alongside Source Defense’s VICE product and the ADMIN management console.

Debunking myths related to client-side security and Magecart attacks

The client-side landscape has been overrun by third-party script attacks executed by malicious attackers utilizing formjacking or other methods made famous by the Magecart attack group.

Magecart attacks

Many companies assume their current security stack ensures protection for these seemingly basic attacks, but in reality, they open a can of worms and you may not even know you’ve been attacked. Take a read below to see some of the common misconceptions regarding client-side protection, these dedicated threats and if your business is in fact safe.

Myth #1 – I don’t need to worry about client-side security unless I have a virtual shopping cart/eCommerce

While formjacking is heavily concentrated in online retail, there is a significant weakness in other pertinent verticals as only a few lines of code can interrupt any organization that collects personal information on a website.

Attackers also utilize malicious JavaScript injections running almost seamlessly with your third-party vendor scripts that a website utilizes to improve performance or experience. These are all areas of potential vulnerabilities and if not monitored, can prove costly.

Myth #2 – I have a firewall, WAF and a secure connection so I’m safe from these attacks

Firewall, WAF, secure connection and many other solutions are focused on securing internal servers and the communication between the browser and these internal servers. Formjacking and Magecart attacks are executed on the user’s browser and in many cases, load from a remote server. This client-side connection operates completely outside of the security capabilities an organization deploys to secure the server side of the browser session.

Myth #3 – RASP or DASP catches formjacking and Magecart-type attacks

Dynamic Application Security Testing (DAST) is usually active on a pre-production environment and does not cover live sites. The few who run DAST on a live site will simulate a few user profiles but cannot possibly scale this solution to monitor and detect all web sessions.

As third parties change their behavior from user to user, DAST is largely ineffective in detecting attacks on large production networks and completely ineffective at preventing these types of attacks. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.

RASP is Runtime Application Self-Protection; it exists only on the Java virtual machine and .NET Common Language Runtime. Since it will not run on the actual live site, third parties are outside of its detection scope. Again, RASP is not intended as a prevention solution. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.

Myth #4 – CSP and other page headers will stop Magecart attacks

CSP is often being suggested as the solution for Magecart attacks. Although it can be part of the solution, by now we know that a lot of the Magecart attacks are being done from trusted domains. Take for example the 24/7 chat hack that captured payment card information from huge enterprises websites such as Delta Airlines, Sears, Kmart, and BestBuy. This tool was trusted by those firms and needs to be whitelisted by the CSP in order to work.

Other headers such as HSTS are sometimes also mentioned as a possible solution but all of us understand that by now attackers are sophisticated enough to use SSL (https) when loading their payload to avoid this header as well.

Myth #5 – Magecart hackers need to use a “drop server” to capture the data

In most of the known Magecart attacks, the payload is being delivered by a trusted domain (for example a third party vendor) and the data it collects is being sent to the hacker server, also called “drop server”. In some of the attacks we are seeing the hackers are using domain names that look legit to avoid detection, for example, the drop server in the British Airways attack was under the domain “baways.com”.

But the more sophisticated hackers will avoid using a drop server altogether and create an account in one the third parties the website use in order to capture the information in an undetectable way.

Magecart attacks

Using Google Analytics to capture user credentials

Myth #6 – You can detect all Magecart attacks from the outside without implementing code to your website

Using a tool to scan the website from the outside in order to capture those attacks is a VERY low barrier that can be overcome by simply using one of the most common methods almost all third-party vendors use. By nature, third party code is dynamic and can adjust to run only for specific users – for example, when you go to a website, you will see an advertisement that is related to your browsing history, and some else will see completely different advertisements according to his history.

Hackers are using those same methods to avoid detection so the hack payload will be applied to real users and not shown to an outside scanner, sometimes limiting the hack to be sent only to a small percentage of the site visitors to avoid detection by humans. In order to detect Magecart, you need real-time all the time protection.

Myth #7 – If I am being attacked right now my team would definitely be aware of it

As proven by the Magecart attack that affected over 800 websites for 3 years, many dedicated attacks are very hard to detect. If you Google “undetected Magecart attacks” the search will return a number of recent threats that top Fortune 100 companies unfortunately experienced. While security teams are trained in responding to DDoS and bot attacks, these vectors are new and evolving establishing additional operational costs in dedicated man hours and more than likely a third-party solution alternative.

Myth #8 – Third-party risks are the top concern your company should be worried about

While third-party risks present the largest issues at hand, you can’t diminish fourth- and fifth- party risks that come as extensions of third parties.

Even the most security-driven websites, who audit and test the vulnerabilities of the third-party scripts they interact with (which is in itself rare and difficult to follow through), still remain exposed through the fourth- and fifth- party scripts these suppliers interact with. This makes the process of fully protecting websites and their users from attack scripts much more challenging.

5 questions about website and brand security every business owner should ask

Your website is the primary way your customers interact with your enterprise. You envision and create a website to:

  • Enhance customer engagement and conversion of visitors to customers.
  • Optimize revenue per customer.
  • Create repeat customers.
  • Retain customers, i.e., avoid customer attrition and abandonment.

Adding security to the overall business strategy should initiate the following questions to ensure you are making informed decisions for the safety of your brand and your customers.

1. What scripts are running right now on my website?

What services and scripts are you utilizing to optimize your website? Going a step beyond that, what scripts are running on your website?

There are thousands of third-party website scripts marketing teams routinely employ to achieve these goals. They include analytics, trackers, live or virtual customer engagement, social media scripts, and site monetization through advertising – just to name a few. New and innovative website scripts are constantly being released and those enterprises that best leverage them are at an advantage relative to their peers and competitors.

However, your security department limits your usage of these powerful scripts by:

  • Limiting how many third party scripts you use on your website.
  • Restricting your usage to mature tools and scripts and limiting your usage of newer, more innovative ones.
  • Preventing your usage of third-party scripts in your most impactful (but also sensitive) areas of your website.

Although these limitations were once put in place for good reason, they are absolutely constraining your ability to achieve the goal of maximizing business performance through optimization of your website capabilities.

2. Am I being consulted every time a new script is being added to our website?

If you don’t think you need to be consulted, then what are the precautionary steps to ensure there is a protocol in place for checks and balances for your website security? Depending on how small or large your organization is, you may not have a daily digest into the inner happenings of your team.

The security team may be actively monitoring third-party scripts, which is a great first step in client-side website protection. However, a loophole that many people forget is how website owners are addressing fourth- and fifth-party scripts that the approved third-party scripts bring to your website.

3. Are we protecting our customers and their data?

Due to the lack of permissions that govern and limit the access and behavior of third- party website scripts, those third parties and the hackers that seek to compromise them have unrestricted access to nearly every aspect of the webpage including customer data that is displayed on the page or entered by the customer.

This includes usernames, passwords, personally identifiable information, payment information, and other sensitive and regulated data. In fact, beyond this ability to access this information, the unrestricted access granted to these third-party scripts might enable hackers to exploit them to:

  • Record all customer keystrokes and data.
  • Manipulate webpage form-fields to dupe customers into revealing unnecessary and sensitive information to unauthorized third parties and/or hackers.
  • Inject popup boxes that request unnecessary and sensitive information from the customer.
  • Hijack the users’ mouse clicks and automatically redirect them to unauthorized external websites where customer information is phished and stolen.

4. What regulations should I be paying attention to? Are they releasing any information on new attack vectors?

Is HIPAA, PCI, GDPR or CCPA something your organization adheres to? The Internet has significantly extended an organization’s security perimeter, since enabling and enriching a website allows attackers to exploit the fact that the attack surface extends across the entire Internet.

GDPR, HIPAA and PCI are only a few of the regulations set up to ensure companies (and individuals) are protecting the customer/consumer.
New attacks have a way of skirting around existing security measures. A simple Google search can give you the answer on new and up-and-coming attack vectors and if organizations are actively preventing them.

5. Could my organization be the next victim?

Are your competitors or similar companies in your field being targeted? Attackers such as the Magecart groups are known for going after eCommerce companies. That being said, similar industries utilize similar tools and scripts within their space. Those similar scripts can then prove easy for a hacker to move from one site to the next checking any crossover to see if there are potential areas of already known vulnerabilities on each website.

Just because it hasn’t happened, doesn’t mean you are immune to it. Setting up precautions is truly the only way to ensure you are protected and can control all of the elements on your website.

In summary, it’s important to ensure you or at least your team holds all the cards. If you aren’t sure where to start, just ask for an analysis on the third-party scripts running on your website and see if there is anything that surprises you in the results.