MAGECART AND FORMJACKING THREATS AGAINST THE …

FINANCE WHITEPAPER

MAGECART AND FORMJACKING THREATS AGAINST THE FINANCIALINDUSTRY

APPROACHES TO MITIGATINGWEBSITE SUPPLY CHAIN ATTACKS

- 2 -

Executive Summary

Financial institutions are prime targets for Magecart and similar threats in addition to other cyber attacks. One reason is that they go through massive digital transformation and that they handle a high volume of transactions, assets and sensitive data. more than ever, people handle their financial transactions online. They also expect their trusted financial advisors and their online experience to be secure, private, and consistent during each and every interaction.

A study by RiskIQ found that the average cost of a data breach for financial services companies is $3.8 million, and the banking industry’s total annual losses from phishing scams eclipses $1 billion. Whether involving direct data theft or leveraging a bank’s brand to commit fraud, breaches can have a significant impact on profitability and resources.

Additionally, in the recent past several banks suffered $87 million in combined losses from attacks that compromised their Society for Worldwide Interbank Financial Telecommunication (SWIFT) infrastructure. More notably, in 2018 a single cybercriminal group siphoned $1.2 billion from over 100 financial institutions in 40 countries before its ringleader was arrested. Attacks on the financial sector may not generate as many headlines as those perpetrated against eCommerce, but they are just as costly and detrimental to an organization’s brand.

A financial institution’s business model is based on trust. A few years ago, Wells Fargo faced a PR nightmare when millions of fraudulent savings and checking accounts were created on behalf of Wells Fargo clients without their consent. The Consumer Financial Protection Bureau (CFPB), fined the company a combined US$185 million as a result of the illegal activity. The company has faced and faces additional civil and criminal suits reaching an estimated $3 billion.

There is nothing more critical to financial institutions than the security of their sensitive customer data, not only because it’s expected by their customers but also because they operate in a highly regulated environment. Attackers can destroy relationships, violate trust and introduce doubt with amazing speed and precision.

A universal website flaw that leaves customer & payment data exposed has been increasingly exploited by attackers at mass scale, notably in the financial sector. This flaw prevents website owners from controlling what data can be accessed/stolen by their website supply chain vendors and the hackers that exploit them. Every website is susceptible to this attack vector as no component of traditional security programs can prevent client-side 3rd party JavaScript modification. This threat briefing is intended to raise awareness of this universal flaw and introduce preventative measures that may be taken.

Money isn’t your most important asset – Trust is


- 3 -

3rd party JavaScript refers to scripts, made available from 3rd party vendors, that are embedded into websites to enrich customer experience, enhance analytics, and monetize sites via advertising. 3rd party scripts can provide powerful functionality, but they introduce risks to privacy, security, performance, and page behavior.

There is a strong correlation between the number of 3rd party JavaScript enhancements and overall website effectiveness. However, increased utilization of 3rd party tools leads to increased risk from an uncontrolled and rapidly expanding attack surface.

Due to the designed flexibility of JavaScript, external 3rd party JavaScript authors, like those integrated onto every website, have full, developer-level DOM access to your site via an unmanaged client-side connection. This means that website owners are unable to control website integrity and modification privileges for any of the dozens of 3rd parties integrated into their website. More troubling is that these 3rd parties routinely chain-in multiple 4th and 5th parties that share the same level of unrestricted access to your website. It is these unmanaged client-side website connections that attackers have increasingly been targeting to modify the website and exfiltrate customer & payment data.

Attacks aimed at Financial Institutions websites:• Payment card skimming• Keylogging• Form field manipulation• Web injection• Phishing• Content defacement• Clickjacking• Malware and ransomware distribution• Watering hole attacks

3rd Party Website JavaScript Overview

Inherited & Uncontrolled Risk for Financial Companies

A study done by Akamai revealed that 94% of observed attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reported time period). The third most common attack type, cross-site scripting (XSS), was employed in 50.7 million attacks (8%) of observed attack traffic.


- 4 -

In April of 2020 it was reported that an online merchant using a ‘hosted fields’ solution provided by PayPal’s BrainTree service had been compromised, something which was previously thought impossible. Put briefly, this security technique relies on having a payment processor provide a JavaScript file to include in the merchant’s website that dynamically builds hosted fields to accept payment data. Input fields, or fields for short, are text boxes where shoppers can enter information into a webpage, such as size or quantity of a product, or payment information to complete a transaction.

Outsourcing Compliance with iframes

In the case of hosted fields, the input boxes do not truly exist on the merchant’s web page but are created by the payment processor’s technology and remain separate from the storefront webpage. They are visible to the shopper and appear no different than any other element on the page. They also eliminate the burden of securing and ensuring that the merchant is in compliance with PCI-DSS. This is made possible by a technology known as an iframe, a way to instruct a web browser to basically put content in a box and allow it to work separately from the main webpage.

So how was the attacker able to steal data even though iframes were being used to protect the visitor’s payment data? The answer lies in JavaScript, specifically 3rd party JavaScript, and the immense power it can exert within the web browser.


- 5 -

The uncontrolled access afforded 3rd party JavaScript provides threat actors with an attractive path to penetrate a website’s security and exfiltrate customer & payment data. Instead of directly targeting the defenses of the highly secured website owner, threat actors target the more attractive 3rd party vendor’s security infrastructure. Once breaching the security defenses of a 3rd party vendor, or a linked 4th party, threat actors leverage the flexibility of JavaScript to modify the code returned from the external 3rd party server to the client-side browser. Frequently these modifications involve the inclusion of card skimming code or other means of data exfiltration. Of additional benefit to attackers, this attack type is massively scalable as the attackers immediately gain access to every website served by the compromised 3rd JavaScript vendor. This is precisely how Magecart successfully scaled its attack to compromise thousands of victims.

Given the digital transformation the financial industry is undergoing, user experience and a feature-rich website are very important. Websites in the industry, therefore, rely on an ever-expanding ecosystem of 3rd party suppliers to enhance and personalize user experience, increase engagement, track their customers’ journey and behaviors, monitor transaction completion and so on. These 3rd party tools offer great benefits, but also provide attackers with an attractive gateway for malicious activities such as Formjacking, Magecart, JS Skimming and more. Malicious code may be injected into your website or run in end-users’ browsers

Websites Weak Links & the Scalability of Attacks

The Evolution of an Industry - and the threats that come with it


- 6 -

without their knowledge. Through banking trojans or web supply chain attacks, fraudsters tamper with transactions and steal sensitive user data. Unfortunately, this means that the more such tools are used, the more risks financial websites take upon themselves. Instead of hacking the websites themselves, hackers often attack the 3rd party plugins and use their Javascript to hitchhike onto the website. Checking the security perimeter of any Financial Institution website is simply not enough. A website is affected by the security perimeter of all of the 3rd party tools it uses. Moreover, it has no control over what’s happening outside the 3rd party circle: there are 4th, 5th and 6th party circles that most website owners are not even aware of.

The cost of cyberattacks is highest in the Financial Industry, reaching $18.3 million annually, per company. Successful attacks on banks and financial institutions are the most costly of all, not only because of the financial losses but also because these breaches erode user trust.

Cybersecurity departments should expect to see a much larger arsenal of more sophisticated attacks coming in the future, as the same attack vectors that are being employed against financial services firms are being initialized and applied elsewhere.

Average Annualized Cost by Industry Sector


- 7 -

It is highly advised that security teams diligently evaluate this attack vector since current controls are not capable of preventing these types of attacks. The most common approach to address website security is reactive, detection technologies (DAST, RASP). By the definition of detection, these technologies inescapably allow some impact before the detection is made. In many cases, this attack vector is hyper-targeted to a very small and specific sub-population of users evading most detection approaches. Detection technologies are not designed to dynamically monitor every website session, are incapable of scaling to effectively address client-side attacks, and create enormous alert fatigue. Most troubling, detection technologies allow the threat to persist as the underlying flaw, related to unmanaged 3rd party connections, remains unaddressed.

As is well understood, GDPR specifies a compliance framework upon which to build an infrastructure capable of maintaining responsible customer data privacy and control. Violation of GDPR provisions could result in fines of up to 4% of a company’s global annual revenues for any organization handling the personal data of EU citizens. Although no single vendor is capable of delivering a completely holistic GDPR solution, the below data surfaces a critical website exposure that must be considered in ALL preparation associated with GDPR compliance.

Source Defense specifically addresses multiple articles defined in the GDPR framework that, without a dedicated solution, your organization would remain in non-compliance.

1. Article 5 - Processing of Personal Data

2. Article 16 - Rectify personal data

3. Article 17 - Erase personal data

4. Article 18 - Restrict personal data

5. Article 32 - Ensure system confidentiality

Inadequacy of Traditional Controls

Worldwide Compliance Risks


- 8 -

Source Defense is the market leader in Client-side Web Security, providing real time threat protection against vulnerabilities originating in third-party scripts such as Magecart & Formjacking attacks.

With their patented VICE platform, Source Defense protects web pages from vulnerabilities in third-party scripts. Source Defense’s solution isolates those scripts from the web page and allows them to read and write according to a given permission either defined by Source Defense’s recommended standards, or specific company policies.

Source Defense extends the traditional security perimeter to protect your customers and fortify your security stack in real-time.

About Source Defense

Source Defense provides an entirely new and unique solution to protect websites and their visitors from attacks that lead to data theft from the live customer web session.

Source Defense’s VICE solution secures websites, enables secure digital innovation, and ensures customer and payment data privacy via the only real-time prevention solution against website supply chain attacks. By isolating and sandboxing all 3rd party website code, website supply chain partners can be managed and controlled preventing security violations that access unauthorized customer and payment data that are then exploited by hackers.

VICE delivers security without compromising the user experience or burdening your IT staff with unnecessary administration. Source Defense ensures 3rd party website tools only deliver the intended website experience and that these JavaScript tools may not be leveraged for malicious data extraction or website alteration.

An Innovative Approach in Securing Website Security Gaps

Documents

MAGECART AND FORMJACKING THREATS AGAINST THE …