Ensighten eGuide Preventing Data Leakage: Web-Based Cyberattack Methods How the most common methods for exposing sensitive data are overlooked and behind some of the largest known data breaches October 2019 Introduction It has been reported that 2019 will be the worst year on record for data breaches. Within the first six months of this year, there have been more than 3,800 incidents reported, up by 54 percent on last year. Out of those breaches, three are included in the top ten largest of all time. This may not come as a surprise, given the near-constant reports of cyberattacks that result in the exposure of sensitive data. But many companies may not be aware that studies show that more data was exposed this year via web-based attacks than any other method, accounting for 79 percent of compromised records. This is because while businesses are directing their IT budgets towards protecting their internal networks, systems and servers, many still don’t understand the risks associated with web vulnerabilities, and are unwittingly leaving the door open for criminals to steal customers’ sensitive information. This is particularly relevant for ecommerce companies, where visitors purchase or consume goods or services online. This is a rich bounty for criminals with global web sales nearing $3 trillion last year. This guide will highlight some of the most common web-based attack methods, and how you can protect your business from a costly data breach. 2 Web-based attack methods "Formjacking attacks against ecommerce platforms [will] endure, Web injects as they are hard to detect and Injection attacks occur when an attacker adds or injects have proven profitable." their own instructions into an existing authorized application execution process. The insertion point for the payload can either F5 Application Protection be at the web application, or rather than compromise a site Report 2019 directly, attackers will breach a third-party script to access all the sits on which it runs, all at once. This approach is paying off for the criminals. According to F5 Labs, in 2019 formjacking payment cards made up 71 of websites are vulnerable to percent of web breaches and 12 percent of known breaches in 75% XSS attacks total. Elsewhere, Trustwave says this type of attack was up seven percent on 2018, largely due to increased Magecart attacks targeting ecommerce sites. of web applications have access control issues and one third are Magecart 50% susceptible to code injection Magecart is the name given to a collection of hackers that target ecommerce sites; the name Magecart stems from the groups of web applications with carrying out initial exploits of a shopping cart vulnerability on vulnerabilities enable the Magento ecommerce platform. Operating since at least 75% unauthorized access 2015, the groups have ramped up their activities over the last year or two – using more efficient skimmers and launching more pervasive payment card attacks – targeting companies like Positive Technologies’ web application vulnerabilities statistics for 2018 Ticketmaster, Forbes and Newegg, among many others. In fact, researchers uncovered more than 80 global ecommerce Formjacking websites compromised by Magecart groups in just 2.5 hours of In its Global Security Report, cybersecurity vendor Trustwave searching. In all, the compromised sites were spread out across reveals that payment card data is the most coveted type of the US, Canada, Europe, Latin America and Asia. information for criminals to get their hands on, comprising 36 percent of breach incidents. One of the most common ways in Moreover, one in five Magecart-infected stores are re-infected which they steal that data is through formjacking. multiple times, often within days, according to a report by security researcher Willem de Groot. For example, luxury Digital Payment Card Skimming (DPCS) – or formjacking – is mattress company Amerisleep was originally breached by where criminals inject malicious JavaScript (JS) code to steal Magecart in 2017 and was attacked again in December 2018, credit card details and other information from the payment and a third time in January 2019. forms on checkout pages of ecommerce websites. Given the notoriety of the group, the PCI Security Standards Because PCI compliance prevents customers from storing their Council joined forces with the Retail and Hospitality Information three-digit credit card security number on a website’s servers, Security and Analysis Center (ISAC) to warn companies of hackers are focusing their efforts on the client side of the the growing threat of attacks, such as those perpetrated by website, to harvest those details as they are entered. Magecart. 3 Demand for stolen data "Securing of third-party infrastructure The average price fetched by card-not-present data has doubled. and restricting access and permissions Traditionally, the average price for card data stolen from online of third-party scripts to only trusted retailers, known as CVVs, has ranged somewhere between $2 sources is also essential. Organizations and $8 per account. should perform due diligence on third- party service providers and use only This demand is almost certainly contributing to the rise trusted software vendors." in ecommerce websites getting hacked. The situation is exacerbated further by hackers turning to the dark web to easily Retail and Hospitality purchase the malware needed to target websites. Information Security and Analysis Center (ISAC) & PCI Third-party vulnerabilities Security Standards Council Unfortunately, the third-party applications and services that make websites more attractive or functional – such as those used to gain meaningful customer insights, inform business "As web pages pull content from decisions and enrich the customer experience – also makes increasingly disparate and nebulous them more vulnerable and thus, more attractive targets for sources, we’re seeing more content criminals. getting injected in the browser According to ecommerce industry research group Retail from third-party add-ons." Systems Research (RSR), the average retail website now uses between 40-60 third-party technologies to create their online F5 Application Protection experiences. Once compromised, these third-party services are Report 2019 used by hackers like Magecart to inject malicious JavaScript into their target websites, resulting in stolen personal data such as credit card details. This was the case with Ticketmaster where cybercriminals compromised Inbenta, a third-party supplier. From Inbenta they placed digital skimmers on several Ticketmaster websites. But Ticketmaster is not alone – 61 percent of US companies have experienced a data breach caused by one of their vendors or 22% 59% 69% third parties. of companies don’t of companies have say that a lack of know if they had experienced a data centralized control Even more serious is that because these third-party functions a third-party data breach caused by is the key reason breach in the past one of their vendors for not having a are typically used by multiple ecommerce sites; the compromise 12 months or third parties comprehensive of one of these functions can allow an attacker to compromise inventory of third parties many websites at the same time through mass distribution of the malicious JavaScript. Ponemon Institute “Data Risk in the Third-Party Ecosystem” study 4 Other hidden dangers While this guide focuses on data loss through web-based 57 percent of companies say they cannot identify vulnerabilities, it’s important to remember that there are other ways hackers can damage your business. For example, leakage of sensitive data from the browser, and clickjacking, where criminal groups inject malicious scripts that 47 percent cannot prevent leakage of sensitive hijack user clicks for online ads to boost their profits. data from the browser Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new script tag to load Lack of investment in website code for YouTube. The firm notes that in this case, “the injected security JavaScript has an extensive amount of code that is designed to Fewer than half of all companies surveyed in the Ponemon like videos, most of which are related to political topics in Russia. study say managing third-party risks is a priority within their Separately, researchers also found code that injects an iFrame organization. This is in keeping with Ensighten’s own research into the browser designed to play a hidden Twitch stream, which shows that 83 percent of US companies questioned, many padding the viewer stats for the streamer on that page.” with a global presence, suspect they are at risk of breaches – but two-thirds of them have not yet put proper protective measures While some malicious scripts perform clicks on ads for monetary in place. profit, others intercept clicks to redirect users to malicious sites showing scareware, tech support scams or malware-laced apps. Those questioned for the report, The Alarming Data Security Vulnerabilities Within Today’s Enterprises, claim a high level of Similarly, you may fall victim to ad injection, sometimes referred awareness of client-side website security vulnerabilities. Still, to as customer journey hijacking. This is where unauthorized ads they admit their organizations are not taking proactive measures are injected into your website visitors’ browsers, diverting them and are effectively under-invested in protection. away from your website to your competitors. All of these web injects