Threat Briefing: Safeguard Websites From Third-Party JavaScript Attacks

How to protect the enterprise from the growing Magecart threat vector

Cyber security experts believe that Magecart threat actors have been around since 2015, however the group really surfaced through an initial discovery in June 2018 when Ticketmaster was attacked. Since then, the group has stepped up its game with more sophisticated and pervasive attacks, while doing a good job at covering up its tracks.

According to award-winning security blogger, researcher, podcaster and public speaker Graham Cluley, there have been reports that close to 50,000 online stores have been compromised by this threat so far. In fact, in the last six months, British Airways, Feedify, Umbro, Vision Direct, Newegg, BevMO and most recently, Titan Manufacturing and Distributing have all revealed that they have been compromised by Magecart.

See Related: "Mitigating Magecart Attacks – Why Real-Time Prevention Is Your Best Option"

“The fundamental problem is this – just about every website uses third-party Javascript used by other people. It’s an easy way to add functionality to a site with no coding required. A very common example is Google Analytics, used by many millions of websites to provide webmasters with a way of collecting web traffic statistics,” explains Cluley.

And while your company may have security in place to prevent hackers from successfully breaking into your systems, with a Magecart-style attack, they haven’t directly compromised your IT infrastructure. Instead, they have poisoned a third-party script used by your website. “It’s equivalent to poisoning a water supply upstream from where it’s being drunk,” he says.

Take Preventative Measures

The best action for the enterprise is to prevent an attack from happening in the first place. By implementing technology that controls the access and permissions of every third-party JavaScript vendor running on web pages, helps to insulate websites, visitors and private customer data.

Prevention approaches not only help to secure the organization, but are required for data control as defined by regulatory compliance (like GDPR). That is why on February 27th, Cyber Security Hub will host a web seminar which will tap into the expertise of Cluley and present various preventative approaches including:

  • Content Security Policy
  • Monitoring & Detection
  • Vendor Due Diligence Assessments
  • Restricting the Usage of Third-Party Tools

Every website is susceptible to this attack vector as traditional security programs cannot prevent client-side third-party JavaScript attacks. Register and attend the full web seminar to raise your awareness of this universal flaw and start safeguarding your organization from this vulnerability today.