Attacks from the use of malicious JavaScripts continue to rise due to the way we now integrate dynamic content into our web sites.  JavaScripts, both server and client side are commonly used for everything from targeted advertising, user analytics, CDN, web content, social media integration, through to some payment services, and all in between.  This increased reliance on third-party client side JavaScripts, average 58% of content on web site is delivered by third-parties, website owners are leaving their clients and consumers open to such attacks as form jacking, cross-site scripting, and payment card skimming, to name just a few.

Tala Security Inc, a global web security solutions provider, released a study (Global Data At Risk, State of the Web Report) in July 2020 which identified some eye watering facts.   From their research, Tala reviewed the Alexa top 1000 web sites[1]  and found that only 1.1% had effective security in place re JavaScript usage, down 11% on the previous year.  The remaining 99% of web sites analysed were at risk, many from trusted or authorised domains such as Google Analytics, where data could be exfiltrated.  The analysis found the average site used ten (10) external connections into the consumers browser, an increase of 21% on 2019.

The most common and talked about type of JavaScript breach is MageCart.  MageCart is a named created by the security solutions provider RiskIQ to classify common attack trends they were seeing, initially against the eCommerce platform Magento[2].  Since they began classifying attacks in 2015 on websites where JavaScript was the primary means of data exposure, RiskIQ has classified more than fifteen (15) individual attack methods, where either the code used or the means of deployment were similar.  The most recent new addition to the MageCart family was discovered as recently as April 2020.  In 2015, MageCart attacks used server side JavaScripts which required the compromise of user credentials to gain access to the Magento Content Management System (CMS) before the malicious JavaScript was introduced to the environment.  

2018 saw a dramatic change in modus operandi, to the cost of the likes of TicketMaster and British Airways.  The attackers moved away from individual web sites and targeted the supply chain.  By breaching third-party providers who served content via JavaScript direct to a consumer’s browser, not only had they uncovered environments where security controls were weaker, but they were also able to breach multiple environments at once.  The attack involving TicketMaster, is reported to have breached up to eight hundred (800) eCommerce web sites with the breach of single service provider.

So, what makes JavaScript such a lucrative modus operandi for those looking to steal our payment and personal information?  In short, the attackers have found a hole in our traditional approach to web site security.  By using JavaScript code hosted at a third-party location, either on a compromised server, or within a legitimate service provider, the code is served directly to the consumers browser and therefore is outside the traditional security perimeter, that looks inwards at the web server and any accompanying network.  With only 1% of the top 1000 most visited websites employing effective security for such vulnerabilities, most small to medium size enterprises have no security approach to combat these modern JavaScript threats.

In the first half of 2020 alone big names such as OlympicTickets2020, NutriBullet, Tupperware, Fitness Depot, Claire’s, Intersport, EasyJet, and Robert Dyas, have all fallen victim to JavaScript data breaches.

JavaScripts traditionally come in two (2) formats, Static – hosted and served direct from the primary web server, and Dynamic – hosted and served by a third-party direct to the consumers browser.  A new security approach must be adopted to secure both these approaches.

Whilst the traditional perimeter security controls, such as network and web application firewalls, and inward facing controls, such as integrity monitoring, anti-virus, and log monitoring, must remain.  Web site owners, managers and developers must include a new approach where the website frontend is considered as the attack surface. In line with the OWASP guidance on managing third-party JavaScripts, the following browser-native security controls must be implemented:

  • Content Security Policy (CSP)
  • Subresource Integrity (SRI)
  • Cross-origin resource sharing (CORS)
  • Strict Transport Security (HSTS)
  • Referrer-policy
  • Feature-policy
  • Trusted Types
  • iFrame sandboxing
  • Regular reviews of the website frontend functionality

Failing to adopt the above security controls could be catastrophic when the attackers come knocking, and they will!  Such attacks are no longer restricted to only the Magento platform, with similar methods identified by the 3B Data Security forensics team in other eCommerce platforms, such as WordPress, JShop, Joomla, bespoke environments, and Widows based systems.  A data breach can wipe as much as £8.8 million of the share price of a major UK company.  And for those SMEs who are most likely to face such a breach costs could be in the region of £20,000 - £30,000 to cover any investigation, fines and administration fees, and costs to achieve compliance post the breach.  Not including any additional fines your business may face from the Information Commissioners Offices for breaches of GDPR.

To avoid the devastating costs and reputation damage of a data breach, and for any assistance in protecting your web site from JavaScript attacks, please contact 3B Data Security. 3B Data Security offers a range of services to identify your vulnerabilities and attack surfaces, and help you plug the holes with our industry leading expertise in security of all information, from single web servers and retail outlets to complex cooperate networks.

[1] A dynamic list of the most popular websites collated and published by Alexa Internet, a subsidiary of Amazon. Alexa Internet collects and analyses data of Internet browsing behaviour.

[2] Magento is an open-source eCommerce platform written in the language PHP.  The platform provides the facilities to setup and manage an online store with built-in functionality for accepting card payments.