In September 2020, cyber thieves compromised an estimated 2,800 retailers, injecting malicious code to steal the payment details of tens of thousands of customers. The attack is considered the work of Magecart, which uses JavaScript malware to target shopping carts associated with the Magento open-source e-commerce platform. Security experts say it is the largest Magecart incident ever – and is only one more in a series of incidents that convey the growing threat of client-side attacks, one of the most lucrative and popular exploit techniques in play today, occurring at a rate of once every 39 seconds.
Client-side attacks come at a significant – possibly even crippling – cost to retailers. At Source Defense, we reached an estimate that Magecart incidents require 65 to 130 hours in response time (or about four entire days if you cut it down the middle) for tasks such as the analysis of source code, web server files and logs. That doesn’t take into account the inevitable downtime, which is extremely costly for e-commerce businesses. According to research compiled by Gremlin, site downtime for retailers like Target, QVC and Wayfair can range from between $508,000 to $598,000 revenue loss per hour.
E-commerce companies are now developing cybersecurity budgeting plans and overall strategies for 2021 and beyond. They are seeing that traditional tools and approaches no longer suffice. To effectively respond to Magecart and other client-side attacks moving forward, they must incorporate the following critical components into their budgeting and strategies:
- Client-side prevention that protects in advance. E-commerce security teams benefit from solutions which enable monitoring that detects and prevents breaches in real-time – before they can do any damage – as opposed to after-the-fact alerts. As team members evaluate “what has worked during 2020 and what hasn’t,” they’ll likely discover that they’ve allocated too many resources on the server side instead of the client-side, where they haven’t implemented adequate layers of protection. In 2021, they need to focus on the client-side with tools which proactively prevent any malicious tampering on their web pages.
- Complete visibility of third-party/vendor activity. E-commerce companies use 40 to 60 third-party tools while adding three to five new third-party technologies to their sites every year. Websites today cannot ensure secure operations and compliance if they do not establish complete awareness/visibility of their entire third-party vendor environment. In fact, the European Union’s General Data Protection Regulation (EU GDPR) specifies that websites are liable for the actions of their third-party vendors.
- Zero trust. Once websites acquire total visibility of the third-party vendor environment, they must enforce effective controls over it. The surest and most ideal level of protection requires the restriction of third parties to only the information for which they’re authorized, i.e., zero trust. Virtual web pages play an essential role by creating replication of the original web page for the third party to access, but excluding what the third party isn’t authorized to see. If the third-party input is allowed, the virtual page will transfer it to the original web page. Because third-party scripts are isolated from the original website, hacker-created changes to JavaScript will not cause any harm.
We know that hackers pursue victims with two primary considerations in mind: Making the most money they can and doing it as easily as possible. Client-side attacks check both of these boxes, presenting cyber-adversaries with an abundance of opportunities. This means e-commerce leaders can’t afford to lapse into a passive/reactive posture here. They must proactively launch a defense strategy which incorporates absolute third-party vendor visibility and zero trust along with real-time monitoring that focuses on securing the client side – thus “unchecking the boxes” to advance to a higher state of protection.