Web-Based Cyberattack Methods How the Most Common Methods for Exposing Sensitive Data Are Overlooked and Behind Some of the Largest Known Data Breaches

Ensighten eGuide Preventing Data Leakage: Web-Based Cyberattack Methods How the most common methods for exposing sensitive data are overlooked and behind some of the largest known data breaches

October 2019 Introduction

It has been reported that 2019 will be the worst year on record for data breaches. Within the first six months of this year, there have been more than 3,800 incidents reported, up by 54 percent on last year. Out of those breaches, three are included in the top ten largest of all time.

This may not come as a surprise, given the near-constant reports of cyberattacks that result in the exposure of sensitive data. But many companies may not be aware that studies show that more data was exposed this year via web-based attacks than any other method, accounting for 79 percent of compromised records. This is because while businesses are directing their IT budgets towards protecting their internal networks, systems and servers, many still don’t understand the risks associated with web vulnerabilities, and are unwittingly leaving the door open for criminals to steal customers’ sensitive information.

This is particularly relevant for ecommerce companies, where visitors purchase or consume goods or services online. This is a rich bounty for criminals with global web sales nearing $3 trillion last year.

This guide will highlight some of the most common web-based attack methods, and how you can protect your business from a costly data breach.

2 Web-based attack methods "Formjacking attacks against ecommerce platforms [will] endure, Web injects as they are hard to detect and Injection attacks occur when an attacker adds or injects have proven profitable." their own instructions into an existing authorized application execution process. The insertion point for the payload can either F5 Application Protection be at the web application, or rather than compromise a site Report 2019 directly, attackers will breach a third-party script to access all the sits on which it runs, all at once. This approach is paying off for the criminals. According to F5 Labs, in 2019 formjacking payment cards made up 71 of websites are vulnerable to percent of web breaches and 12 percent of known breaches in 75% XSS attacks total. Elsewhere, Trustwave says this type of attack was up seven percent on 2018, largely due to increased Magecart attacks targeting ecommerce sites. of web applications have access control issues and one third are Magecart 50% susceptible to code injection Magecart is the name given to a collection of hackers that target ecommerce sites; the name Magecart stems from the groups of web applications with carrying out initial exploits of a shopping cart vulnerability on vulnerabilities enable the Magento ecommerce platform. Operating since at least 75% unauthorized access 2015, the groups have ramped up their activities over the last year or two – using more efficient skimmers and launching more pervasive payment card attacks – targeting companies like Positive Technologies’ web application vulnerabilities statistics for 2018 Ticketmaster, Forbes and Newegg, among many others.

In fact, researchers uncovered more than 80 global ecommerce Formjacking websites compromised by Magecart groups in just 2.5 hours of In its Global Security Report, cybersecurity vendor Trustwave searching. In all, the compromised sites were spread out across reveals that payment card data is the most coveted type of the US, Canada, Europe, Latin America and Asia. information for criminals to get their hands on, comprising 36 percent of breach incidents. One of the most common ways in Moreover, one in five Magecart-infected stores are re-infected which they steal that data is through formjacking. multiple times, often within days, according to a report by security researcher Willem de Groot. For example, luxury Digital Payment Card Skimming (DPCS) – or formjacking – is mattress company Amerisleep was originally breached by where criminals inject malicious JavaScript (JS) code to steal Magecart in 2017 and was attacked again in December 2018, credit card details and other information from the payment and a third time in January 2019. forms on checkout pages of ecommerce websites. Given the notoriety of the group, the PCI Security Standards Because PCI compliance prevents customers from storing their Council joined forces with the Retail and Hospitality Information three-digit credit card security number on a website’s servers, Security and Analysis Center (ISAC) to warn companies of hackers are focusing their efforts on the client side of the the growing threat of attacks, such as those perpetrated by website, to harvest those details as they are entered. Magecart.

3 Demand for stolen data "Securing of third-party infrastructure The average price fetched by card-not-present data has doubled. and restricting access and permissions Traditionally, the average price for card data stolen from online of third-party scripts to only trusted retailers, known as CVVs, has ranged somewhere between $2 sources is also essential. Organizations and $8 per account. should perform due diligence on third- party service providers and use only This demand is almost certainly contributing to the rise trusted software vendors." in ecommerce websites getting hacked. The situation is exacerbated further by hackers turning to the dark web to easily Retail and Hospitality purchase the malware needed to target websites. Information Security and Analysis Center (ISAC) & PCI Third-party vulnerabilities Security Standards Council Unfortunately, the third-party applications and services that make websites more attractive or functional – such as those used to gain meaningful customer insights, inform business "As web pages pull content from decisions and enrich the customer experience – also makes increasingly disparate and nebulous them more vulnerable and thus, more attractive targets for sources, we’re seeing more content criminals. getting injected in the browser According to ecommerce industry research group Retail from third-party add-ons." Systems Research (RSR), the average retail website now uses between 40-60 third-party technologies to create their online F5 Application Protection experiences. Once compromised, these third-party services are Report 2019 used by hackers like Magecart to inject malicious JavaScript into their target websites, resulting in stolen personal data such as credit card details.

This was the case with Ticketmaster where cybercriminals compromised Inbenta, a third-party supplier. From Inbenta they placed digital skimmers on several Ticketmaster websites. But Ticketmaster is not alone – 61 percent of US companies have experienced a data breach caused by one of their vendors or 22% 59% 69% third parties. of companies don’t of companies have say that a lack of know if they had experienced a data centralized control Even more serious is that because these third-party functions a third-party data breach caused by is the key reason breach in the past one of their vendors for not having a are typically used by multiple ecommerce sites; the compromise 12 months or third parties comprehensive of one of these functions can allow an attacker to compromise inventory of third parties many websites at the same time through mass distribution of the malicious JavaScript. Ponemon Institute “Data Risk in the Third-Party Ecosystem” study

4 Other hidden dangers While this guide focuses on data loss through web-based 57 percent of companies say they cannot identify vulnerabilities, it’s important to remember that there are other ways hackers can damage your business. For example, leakage of sensitive data from the browser, and clickjacking, where criminal groups inject malicious scripts that 47 percent cannot prevent leakage of sensitive hijack user clicks for online ads to boost their profits. data from the browser

Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new script tag to load Lack of investment in website code for YouTube. The firm notes that in this case, “the injected security JavaScript has an extensive amount of code that is designed to Fewer than half of all companies surveyed in the Ponemon like videos, most of which are related to political topics in Russia. study say managing third-party risks is a priority within their Separately, researchers also found code that injects an iFrame organization. This is in keeping with Ensighten’s own research into the browser designed to play a hidden Twitch stream, which shows that 83 percent of US companies questioned, many padding the viewer stats for the streamer on that page.” with a global presence, suspect they are at risk of breaches – but two-thirds of them have not yet put proper protective measures While some malicious scripts perform clicks on ads for monetary in place. profit, others intercept clicks to redirect users to malicious sites showing scareware, tech support scams or malware-laced apps. Those questioned for the report, The Alarming Data Security Vulnerabilities Within Today’s Enterprises, claim a high level of Similarly, you may fall victim to ad injection, sometimes referred awareness of client-side website security vulnerabilities. Still, to as customer journey hijacking. This is where unauthorized ads they admit their organizations are not taking proactive measures are injected into your website visitors’ browsers, diverting them and are effectively under-invested in protection. away from your website to your competitors. All of these web injects lose you valuable sales and provide a frustrating online Fifty-seven percent of companies say they cannot identify experience for your customers – often without your knowledge. leakage of sensitive data from the browser, and 47 percent cannot prevent leakage of sensitive data from the browser. of US companies suspect they are at risk of data breaches, Only a third of executives say they’ve fully implemented policies 83% according to Ensighten research related to client-side website security of customer data. Most (83 percent) believe their companies could be at risk of a client- of US companies have not yet side website security breach, but current spending on client- side website security – less than $500,000 at the majority (79 put proper protective measures percent) of companies – pales in comparison to the cost of a 67% against breaches in place data breach, which is currently placed at $3.92 million. Breaches originating from a third-party, such as a partner or supplier, cost companies $370,000 more than average.

5 Protecting your website effectively The problem with securing your website is that the threat landscape is rapidly evolving and the threat surface area Ensighten provides client-side protection against expanding. HackerOne reports that cross-site scripting (XSS) malicious and unauthorized scripts, data theft remains the most common vulnerability type across nearly all attempts, formjacking, clickjacking, phishing and industries. customer journey hijacking

Elsewhere, half of web applications have access control issues and one third are susceptible to code injection, according to Cross-site Scripting (XSS) Positive Technologies, which notes such attacks are easy to Cross-site Scripting (XSS) is the process of malicious script perform as they can be carried out by low-skilled hackers, injection into an organization’s website. This is usually in the sometimes even automatically, using publicly available software. form of a browser-side script, leading the end user to believe it to have come from a trusted source – giving the malicious script DOM-based XSS attacks are the toughest to detect as the access any cookies, session tokens or other sensitive information vulnerability is in the client-side code rather than server-side retained by the browser and used with that site. These scripts code, which means the server never gets a chance to see the can even rewrite the content of the HTML page. attack taking place. Most advocated protective measures such as a Content Security Policy (CSP) and Subresource Integrity (SRI) lack the maturity, adoption and third-party interoperability to Content Security Policy (CSP) make them effective at reducing the attack surface. This is where A Content Security Policy (CSP) is a computer security standard Ensighten bridges the gap. introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks. Using CSPs can mean a trade-off between security and functionality; the standard doesn’t allow the same flexibility to make changes to the site in the way With web-based attacks being the number one teams are usually accustomed. This means even a successful method used by criminals to steal sensitive data, implementation that improves client-side security can sometimes be restricted by website limitations, and still be left exposed. it is essential you devote the same attention to securing your website as you would your internal Subresource Integrity (SRI) IT sytems Subresouce Integrity tags are used to validate any assets served by a third party to ensure they haven’t been compromised. SRI TM Ensighten’s MarSec solution is a mature platform with can be complex to apply to dynamic code. It is only effective more than six years of adoption; protecting over 13 billion when the third-party vendor provides a static JS version and website visits since January 2018 alone. Once configured, version control. But most third-party vendors constantly update Ensighten provides client-side protection against malicious their services, resulting in frequent changes to source code. and unauthorized scripts, data theft attempts, formjakcking, Adapting SRI to match these changes can be challenging, and if clickjacking, phishing and customer journey hijacking. it isn’t properly set up, it can even block a safe third-party script, crashing the website. With web-based attacks being the number one method used by criminals to steal sensitive data, it is essential you devote the same attention to securing your website as you would your internal IT systems – and protect your business from potentially a disastrous data breach at the same time.

6 About Ensighten Ensighten is a global cybersecurity leader, offering next generation client-side protection against data loss, ad injection and intrusion. Through the Ensighten solution, organizations can assess privacy risk and stop unauthorized leakage or theft of data, as well as comply with CCPA, GDPR and other data privacy regulations. Ensighten’s MarSec™ platform protects some of the largest brands in the world from data leakage whilst ensuring maximum web page performance.

Ensighten is headquartered in Menlo Park, US with the European HQ in London, UK. To learn more visit www.ensighten.com and join the conversation on LinkedIn and Twitter.