Inherited & Uncontrolled Risk
Supply Chain’s Weakest Link & Scalability of Attack
Page Load Flow With 3rd Parties
Inadequacy of Traditional Controls
It is highly advised that security teams diligently evaluate this attack vector since current controls are not capable of preventing these types of attacks. The most common approach to address website security is reactive, detection technologies (DAST, RASP). By definition, these technologies are designed to allow some impact before a response can be evoked. Detection technologies are not designed to dynamically monitor every website session and are incapable of scaling to effectively prevent client-side attacks. Today’s data privacy compliance requirements also mean that detection-events require disclosures and may result in fines. Most troubling, detection technologies allow the threat to persist as the underlying flaw, related to 3rd party vulnerabilities, remains unaddressed.
June 2018 – MageCart Threat Actor
Since March 2016, payment card and private customer data has been stolen during payment processing from dozens of major E-Commerce vendors worldwide. The ultimate scope of the MageCart attack impacts thousands of websites and operated largely undetected for 3+ years. This is possibly one of the largest payment card thefts ever discovered. Notable victims include Ticketmaster,
It’s critical to note that this method is completely new and entirely different than traditional hacking methods to steal payment details which typically seek to infect the buyer’s computer, implant malware in Point of Sale terminals, or infiltrate corporate defenses to access stored databases from breached E-Commerce vendors. This new attack vector in increasing in scope and capable of launching
attacks at massive scale. This is particularly evident in the MageCart attack.
April 2018 – 3rd Party Chatbot Service 7.ai Compromised
October 2017 – Malicious Re-Directs from Major US-Based Credit Agencies
Watering Hole Attack on EU parliament
This attack illustrates that compromising 3rd party vendors can be leveraged to launch hyper segmented, targeted attacks. An ad network operating on a news website frequented by parliament members was breached and used to redirect users to a webpage which distributed targeted malware directly to parliament users only.
Source Defense V.I.C.E.
Source Defense provides an entirely new and unique solution to prevent website supply chain attacks. Source Defense’s real-time, all-the-time prevention leverages a fully automated and machine-learning assisted set of policies that control the access and permissions of all 3rd party tools operating on a website. The Source Defense solution ensures those 3rd parties only deliver the intended user experience and may not be leveraged for malicious data extraction or website alteration.
By removing the security, risk, and compliance considerations from 3rd party integrations, Source Defense saves countless man-hours spent on tests and integrations. This allows website owners to focus on enhancing user experience and driving web commerce revenues while ensuring the security and privacy of customer and payment data.