With the dramatic rise in e-commerce transactions, the shift to online healthcare and the surge in online banking brought about by the pandemic over the past two years, it should come as no surprise that ‘Magecart’ (or better defined as ‘client-side’) attacks are on the rise. The first few months of 2022 have delivered a steady drumbeat of digital skimming, formjacking and credential harvesting attacks. The beat is so steady that, according to a recent report, Magecart attacks happen once every 16 minutes.
As your organization evaluates third-party risk, it needs to understand that client-side attacks represent a real and present danger in your digital supply chain, as well as a potential material loss of millions of dollars. Client-side attacks are made possible by the fact that your websites are powered by potentially dozens of third-party vendors whose JavaScript loads outside the server-side protections you have in place – directly in the browser of the millions of customers interacting with your sites. Criminals understand this is a blind-side in your defenses. They know JavaScript vulnerabilities have long been overlooked, and they’re taking advantage of this being effectively 'shadow code' that companies have no visibility into or control over.
If that’s not enough to keep you up at night, consider how the majority of client-side attacks have run for months or years at a time – not hours, days or weeks – before being discovered.
Once you discover the attack, you’ll be liable for not protecting the privacy and safety of your customers and will potentially face fines from compliance regimes like PCI, GDPR and more, not to mention the backlash and defacement to your business’ reputation. Client-side attacks are costly and damaging, but unlike most things in security, they’re actually quite easy to address. The following is some advice you can employ to take this third-party risk off the table.
1. Understand Your Potential Risk
Your website can’t function properly without third-party partners, yet the JavaScript they employ leaves your website exposed to massive threats on a daily basis. By acknowledging this third-party risk, you’re already investing heavily in risk mitigation. Understanding potential risk is vital to informing your business that it must invest in client-side web application security.
Start by auditing your website and take note of:
- How many third-party vendors you’re using
- How many fourth and fifth parties they work with to power their solutions
- What purpose each of these vendors serves, and what they should and shouldn’t be doing
- Whether or not the required plugins are on highly sensitive pages
- Whether or not their code gives read/write access to forms
- How all of this impacts compliance policies
2. Make Client-Side Web Application Security a Priority
Once you understand what’s actually happening across your sites, it’s important to get stakeholder buy-in. First, investing in client-side web application security platforms isn’t some new area of budget that must be carved out. This is third-party risk, and money is already available to invest in third-party risk management. Second, don’t approach the conversation without a quantified understanding of the potential impact of an event. Do the math and make sure you can explain: “If this happens, it could cost us $XXX.”
If the conversation is driven in business terms, companies will invariably decide to treat the risk. The right approach to mitigating client-side attacks can be affordable, easy to implement and carry a very low burden on teams. Unlike a Magecart attack, the cost of protecting your business and customer data does not break the bank.
3. Avoid Detect-and-Alert Security Platforms
If you’re already drowning in a sea of alerts from across the security stack, the last thing you can afford to do is double down on detect-and-alert to fight against client-side attacks. The sheer volume of daily interactions on your websites could potentially lead to tens of thousands of additional alerts for your teams to inspect. By the time you sift through this multitude of alerts (which you often don’t because the average is 11,000 per day for SecOps teams), you will not catch those coming from client-side attacks.
Once you receive an alert, it’s up to you to decide:
- Was the alert really a problem?
- Was it a false positive?
- How likely is the threat to cause harm?
- Which of your websites are affected?
- Do you need to react now, or can this wait?
4. Don't (Over)burden Your Team
Finding the right protection for your website from Magecart attacks is key to mitigating the burden on your already overburdened team. Many security platforms pepper you with thousands of alerts each day. However, almost one-third of all alerts are false positives. Plus, since the volume of alerts is so high, nearly 28% of them are never addressed.
Final Thoughts
The truth is, waiting to act is waiting to be attacked. Securing your business from Magecart attacks with prevention-first technology is key. And as the number of attacks increases year over year, there has never been a more critical time to invest in client-side web application security than right now.