Third-party plug-ins driving most retail sites can open doors to attackers
by Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks
In the unprecedented year of 2020, the rise in cyberattacks has been an unfortunate side effect of the global pandemic.
Magecart is more of a threat this year than ever before, both because a) more shoppers have moved online so the volumes are higher, and b) in the rush to introduce new online and curbside services during the pandemic, far more new plug-ins and APIs were added, creating new potential vulnerabilities.
As a result, the ecosystem at the retailer’s website-level continually expands, forming a gargantuan supply chain that no one knows exists. This problem is far bigger than the owner of the domain can address on their own.
Vulnerability scanning does not pick up every sort of injection attack that Magecart thrives on.
Most Retail Websites Replete with Third Party Components, Risk
Of the four techniques of injecting malicious code, three are done through supply chains and just one through direct code injection.
Ongoing pen testing of sites and auditing of source code is sorely needed, but third-party site builders often don’t take this on as their responsibility – it’s not their reputation at stake, but the site owner’s brands. Examples of plug-ins include ad servers and shopping carts with plug-ins such as “rate this” on payments pages.
Shifting to crypto payments won’t reduce Magecart vulnerability. The Masad Stealer is an example of an attack that is on the victim’s browser. When they enter the information for the party they intend to pay, the stealer replaces it with their own and the outbound payment is routed to them.
Steps toward solutions that retailers should consider include Sub Resource Integrity (SRI), which will assure that content doesn’t get edited along the way. Most sites are edited by multiple third parties like content delivery networks.
- Companies must also ID all third-party e-commerce providers and advertisers they work with and ensure that they do continuous self-assessments and audits. The best way to do this is to require their code be audited by a trusted third-party. To then avoid supply chain injections, the company must host that third-party code themselves if possible and not fall for the ease of inclusion by reference. Then they need to keep it up to date with security patches.
- Ensure scanners have access to critical flows, such as shopping carts.
The biggest problem is a people problem – not with users and consumers, but with the organizations themselves. They don’t see the massive amount of unmanaged third-party plug-ins that drive their websites as vulnerabilities, so the problem continues.
About the Author
Mounir Hahad is Head of Juniper Threat Labs at Juniper Networks. He is a seasoned cybersecurity expert focused on malware research, detection techniques, and threat intelligence. He leads Juniper Threat Labs in identifying and tracking malicious threats in the wild, ensuring Juniper products implement effective detection techniques, and providing access to the latest threat intelligence needed to block malicious attacks. Prior to joining Juniper, Mounir was the head of Cyphort Labs and has held various leadership roles with Cisco and IronPort.
Mounir can be reached online at @Mounirhahad and at our company website https://threatlabs.juniper.net/signatures/#/