According to the new “2019 State of the Web” report from security vendor Tala Security, 98% of U.S. Alexa 1000 websites are inadequately secured against client-side attacks such as Magecart. The report, which raises significant alarm bells about the current state of modern web architecture, is designed to educate enterprises about critical, under-recognized security threats related to web assets and third-party vendors that support them. The findings about Magecart security vulnerabilities are particularly relevant during the holiday shopping season, given the frequent use of these client-side attacks to skim credit card information from unsuspecting web users.
Key takeaways from the Tala Security report
In conducting its report, Tala Security focused its attention on the Top 1000 U.S. websites based on monthly traffic numbers. What the security vendor found was staggering – an overwhelming majority of top global brands and retailers fail to deploy adequate security to guard against client-side attacks. These client-side attacks occur when a user downloads malicious content. In security circles, the term “client-side” simply means that the action takes place on the user’s computer (where the user is the “client”), while the term “server-side” means that the action takes place on a web server. Thus, malicious code is executed in the browser when visiting a website.
And there is one other concern that makes this reliance on third-party vendors potentially so dangerous – 98% of websites use forms to collect personally identifiable information (PII) and financial data (such as payment card data). And this user form data is exposed to an average of 15.7 third-party domains. Thus, a consumer who thinks that he or she is only sharing personal information with a trusted retailer is actually sharing this highly sensitive information with 15.7 other sources.
This is why Tala Security points out, “Modern website architecture creates opportunities for attackers.” If you are booking a holiday vacation, you want to be able to see dazzling photos and videos, and have access to all sorts of account preferences – but the chances are that all of the code that generates this content has been supplied by third-party vendors. That means most websites are highly vulnerable to client-side attacks.
Magecart client-side attacks
The one type of client-side attack that occurs all too frequently is known as a Magecart attack. This type of attack, named for a cybercriminal syndicate that typically targets retailers and hospitality companies, works by inserting a small piece of malicious code on websites in order to skim information. Once it has been inserted, it can start to collect information that has been inserted into forms, or on the checkout page of a website, with the primary emphasis on payment card data. The whole point of a Magecart attack is to act like a credit-card skimmer, scooping up payment card data and personal information of everyone who visits a certain page of a targeted website.
For an example of a Magecart attack in action, consider the recent client-side attack on Macys.com. Macy’s is one of the most popular retailer websites in the U.S., and for that reason, was targeted by Magecart cybercriminals. In early October, they inserted a piece of malicious code on the Macys.com website, such that they could skim the credit card details of Macy’s customers looking to buy clothing or other items online. While Macy’s managed to contain the attack after just a week due to sophisticated risk analysis of the type of code executed on its website, the attack still resulted in thousands of customers having their PII and financial data stolen by hackers.
This type of scenario, suggests Tala Security, could play out many times throughout the 2019 holiday season, when cybercriminals know that retailers are counting on peak user activity and may not have the resources to monitor the type of code executed on their websites. Tala Security specifically mentions the “unprecedented level of vulnerability” of these websites, due to the ever-present risk of client-side attacks. And in August 2019, the PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC issued a joint bulletin on the threat of online skimming to payment security. As might be expected, the retail and hospitality sectors are at the greatest risk of these card-skimming attacks due to their reliance on credit card transactions.
How to prevent client-side attacks
According to Tala Security, there is one possible remedy for these vulnerable websites: standards-based security implementations. Yet, as Tala found, only 27% of websites currently deploy standards-based security. And only 2% of websites deploy content security policies (CSPs) capable of preventing client-side attacks. It is for this reason that Tala Security says that 98% of U.S. Alexa 1000 websites are vulnerable to client-side attacks.
Going forward, hackers will continue to target widespread client-side vulnerabilities. And it’s not like website operators have not been warned – both the FBI and PCI Council have warned about this hacker threat. It’s time for websites to step up their security protocols and implement effective controls to prevent PII, financial data and credential theft.