If someone at your company were to tell you that a critical database was left unprotected for the past six months, exposing data of millions of your customers, you’d likely be outraged. In 2019 forgoing basic server security is completely unacceptable.
But then we look at the growing wave of Magecart attacks — malicious credit card skimming code that’s typically injected via compromised third-party tools — and learn about data breaches that took two, five, or even six months to be detected. Such was the case of the recently disclosed data breach at the National Baseball Hall of Fame website, which remained active and undetected between November 15, 2018 and May 14, 2019. While we still don’t know how many customers had their credit card information stolen in this attack, other Magecart attacks on Ticketmaster resulted in 40,000 stolen credit cards and took 5 months to be detected. And more recently, the attacks on Amerisleep and MyPillow also remained undetected for 2 months.
The picture gets much grimmer when we consider that a single Magecart attack typically breaches not one but hundreds or even thousands of businesses at once. The biggest to date infected 17,000 websites in one go. Unlike a first-party data breach, which often requires attackers to infiltrate a database, third-party data breaches like Magecart originate from attackers going after the enterprise’s smaller, less secure providers which are the weakest link in the web supply chain. This makes attackers’ lives arguably easier, especially when we again consider this huge discrepancy between server-side and client-side security.
There clearly hasn’t been enough awareness and investment in client-side security, especially in preventing Magecart attacks. Now that we saw some big headlines on the British Airways $230 million GDPR fine following the 2018 Magecart attack, hopefully, the C-Suite has become aware of the real damages of a client-side data breach. Now, a further push must be made for spreading awareness on the most suitable approaches to mitigate Magecart and other web supply chain attacks.
It’s undeniable that these attacks exploit the Achilles heel of web security: zero visibility over what’s happening on the client-side of web applications. For each day that a Magecart attack flies under the radar, potentially thousands of new customers have their credit cards stolen. To gain full visibility and greatly minimize this attack surface, businesses must address webpage monitoring solutions. These enable detecting every piece of malicious client-side code in real-time, all the while triggering countermeasures to block the attack at its inception.
And the bottom line is quite simple: every company with websites that process credit card payments and which isn’t monitoring webpages in real time is potentially being breached by a Magecart attack as we speak. And worse, all customers whose credit cards are being stolen won’t be notified until it’s too late. If nobody at your company knows what’s going on with the client-side of your website, then you probably have the right to be filled with outrage and take action while there’s time.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.