3rd Party Website JavaScript
3rd party JavaScript refers to scripts, made available from 3rd party vendors, that are embedded into websites to enrich the customer experience, enhance analytics, and monetize sites via advertising. 3rd party scripts can provide powerful functionality, but they introduce risks to privacy, security, performance, and page behavior.
There is a strong correlation between the number of 3rd party JavaScript enhancements and overall website effectiveness. However, increased utilization of 3rd party tools leads to increased risk from an uncontrolled and rapidly expanding attack surface.
Recent JavaScript Attacks
June 2018 – MageCart Threat Actor
Since March 2016, payment card and private customer data have been stolen from dozens of major E-Commerce vendors worldwide. The ultimate scope of the MageCart attack impacts thousands of websites and operated largely undetected for 3+ years. This is possibly one of the largest payment card thefts ever discovered. Notable victims include Ticketmaster, British Airways and NewEgg. Malicious JavaScript code acting as a form grabber or a simple keylogger was injected via compromised 3rd party JavaScript vendors integrated onto compromised websites. As buyers provided payment details, the data was captured and sent in real-time to the MageCart threat actor. Significant GDPR data privacy compliance implications are evident in this large-scale attack.
It’s critical to note that this attack vector is completely new and entirely different than traditional data theft methods infecting the buyer’s computer, implanting malware in Point of Sale terminals, or infiltrating corporate defenses to access stored databases. This new attack vector is increasing in scope and capable of launching attacks at massive scale. This is particularly evident in the MageCart attack.
April 2018 – 3rd Party Chatbot Service [24]7.ai Compromised
A chat and support service integrated onto notable vendors including Delta, Sears, Best Buy and Kmart was infiltrated and resulted in over 1M credit card numbers being skimmed from these well-known enterprise web commerce sites. Again, attackers leveraged JavaScript to skim payment record details and exfiltrate these data to servers owned by the threat actors.
October 2017 – Malicious Re-Directs from Major US-Based Credit Agencies
A 3rd party integrated onto Equifax and TransUnion websites included JavaScript code from a compromised fourth party. The JavaScript was modified to ensure that when the credit agency site loaded the victim’s browser was redirected to malware. The site owners acknowledged that “Anyone using the (compromised) library may have been affected, and not even know that they been compromised.” The agency further acknowledged that this JavaScript attack allowed the attacker to access victim’s data, submit false data on behalf of the victim, or deface the (Equifax or Agency) page.
2017- Watering Hole Attack on EU parliament
This attack illustrates that compromising 3rd party vendors can be leveraged to launch hyper segmented, targeted attacks. An ad network operating on a news website frequented by parliament members was breached and used to redirect users to a webpage which distributed targeted malware directly to parliament users only.
When deployed at small scale, attacks leveraging the flexibility of JavaScript to launch client-side attacks, are particularly hard to detect. In many cases these attacks may be implemented, sensitive data exfiltrated and all evidence of the infiltration subsequently removed as the modified JavaScript is returned to its original state.
Source Defense V.I.C.E.
Source Defense provides an entirely new and unique solution to prevent website supply chain attacks. Source Defense’s real-time, all-the-time prevention leverages a fully automated and machine-learning assisted set of policies that control the access and permissions of all 3rd party tools operating on a website. The Source Defense solution ensures those 3rd parties only deliver the intended user experience and may not be leveraged for malicious data extraction or website alteration.
By removing the security, risk, and compliance considerations from 3rd party integrations, Source Defense saves countless man-hours spent on tests and integrations. This allows website owners to focus on enhancing user experience and driving web commerce revenues while ensuring the security and privacy of customer and payment data.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
