My Kingdom for a Horse!
In his play King Richard the Third, William Shakespeare wrote that the death of a single horse can bring down an entire kingdom. In 2018, hackers proved something similar in the world of cybercrime. By injecting a mere 22 lines of code into the supply chain of the British Airways website, the bad guys made off with 500,000 credit card numbers.
Everyone wants to experience exponential growth -- including hackers. When an attacker is able to insert malware into a company that supplies software to thousands of other companies, the result can be catastrophic. In the 2020 SolarWinds attack, hackers spiked a routine software update that was downloaded by 18,000 customers, including Microsoft, Intel, Cisco, and government agencies like Treasury, Justice, Energy, and the Pentagon.
To reach these heights of success, cybercriminals and spies invest enormous resources in compromising the most lucrative targets in information technology: software development, IT operations, industrial processes, content delivery networks, online advertising, systems integrators, and more. And to help ensure they remain undetected, criminals engage in their own form of risk assessment, such as estimating the likelihood of being discovered by a given target.
Some of these criminal groups evolved from the banking trojan or the webinjects ecosystem. And over time, many of them have moved from the server-side to the client-side as a result of system hardening and mobile computing. They also love to hack forms, as attackers seek ever-larger tranches of sensitive data. Forms make it even easier for criminals to find credit card data, as they don’t have to go looking for it.
E-Commerce is Vulnerable
In the age of e-commerce, hackers seek to compromise digital shopping carts and checkout pages to skim (i.e. steal) your payment data and personally identifiable information (PII). In the old days, criminals installed skimmers on ATMs and gas pumps to steal credit card numbers. Today’s malicious scripts look for keywords like your name, credit card number, expiry date, and CVV (the three-digit code which gives your credit card real value on the dark web). It's the same basic thing, but e-commerce has the potential for far greater impact.
To accomplish this goal, an attacker may be able to compromise the ultimate corporate target or the server hosting the e-commerce website. Once they gain sufficient privileges, they may be able to alter source code or inject a malicious script that redirects shopping cart data to a site owned by the attacker. Similarly, if a criminal gains access to a target’s backend infrastructure and their dashboards, they might simply reroute sensitive communications or alter DNS settings to direct users to a fraudulent site.
However, in many cases, they only need to inject their malware into embedded third-party software that the real target uses. The real target may not have the time or capability to evaluate or secure it properly. The hackers may compromise code libraries or individual components used in a software build, steal code-signing certificates, trojan software update binaries, compromise firms that offer software-as-a-service, hijack forms, insert malicious JavaScript into vulnerable plug-ins, disseminate malware via images, and more. The sheer complexity of Internet communications always makes security a challenge. For example, malicious JavaScript can be obfuscated by software packers as a way of evading signature-based detection.
In practice, this means that a target company may never have been breached at all. It is simply using compromised third-party software. Data theft actually takes place in the user’s browser, where firewalls and antivirus software cannot help. Consider the nature of a random chatbot: these tools are essentially a keylogger on your website, with potential access to everything entered on your website.
Investigations into third-party compromise can be complicated. In part, this is due to a shortage of network security experts and the limitations of law enforcement. But cybercriminals are also constantly innovating: exfiltrated data may be encrypted, it may be sent to drop sites inside legitimate domains, or even bounced across the Internet through a series of proxies. The Internet is home to millions of unwitting cybercriminal mules.
Finally, it is common for malicious code to contain rules that detect and counter security and forensic analysis. Thus, when successful, e-commerce malware can sit quietly on your website and skim credit card data for a long time.
Notable E-Commerce Hacks
-
In 2018, hackers compromised a chat tool created by third-party supplier Inbenta and stole the name, address, email, phone number, login, and payment data of up to 40,000 customers at Ticketmaster.
-
In 2018, cybercriminals compromised a third-party customer rating plugin, made by a company called Shopper Approved, used on over 7,000 e-commerce websites in a campaign aimed at stealing credit card data.
-
In 2019, on the e-commerce websites of MyPillow and AmeriSleep, hackers skimmed credit card data, compromised third-party software, used fraudulent domain names, and a false GitHub account in a campaign that lasted two years.
-
In 2019-2020, researchers discovered that threat campaigns were scanning for and exploiting vulnerable or misconfigured public cloud storage resources, such as Amazon S3 buckets, to insert JavaScript credit card skimmers on hundreds of websites.
-
In 2021, attackers carried out a supply chain ransomware attack by leveraging Kaseya's VSA software vulnerability, which affected multiple managed service providers (MSP) and up to 1500 small to medium-sized companies.
In 2021, a cryptocurrency platform called SushiSwap suffered a supply chain attack due to a malicious GitHub commit. The attacker stole $3 million in Ethereum by inserting their own wallet address in place of the firm’s.
In 2021, one researcher earned $130,000 in bug bounties by demonstrating that he could coax computer programs into downloading malware due to a “dependency confusion” in current package managers.
Defend the Realm!
In Shakespeare’s play, King Richard discovered that his kingdom was more vulnerable than he imagined. Information security is no different. One must understand, manage, and secure an immense attack surface.
There is so much to think about, from policy to best practices, defense-in-depth, team morale, and cyber insurance (in case something catastrophic happens). And everything must be continuously audited. What is that device? What are its privileges? Is it connected to the Internet? Does it need to be? To whom is it communicating? And so on. And attackers are not just after credit cards, but many other types of sensitive information.
To guard against supply chain attacks, you must extend these principles to your contractors and suppliers. You should identify all of your third-party ecommerce and online advertising vendors. You should demand (and incentivize) security best practices, self-assessments, and audits.
Unfortunately, many companies do not have the technical staff or expertise to properly vet the third-party code that is often used in e-commerce. Therefore, in your shopping carts and checkout pages, only include third-party code that is both necessary and from vendors you trust. Your DevOps team should analyze and vet code content and look for suspicious connections opened by scripts. Finally, you should monitor for updates and CVEs for all components you depend on. You must fix all known vulnerabilities quickly, or you may greatly exacerbate the exposure.
One way to bolster supply chain security is through code signing, which assures users that applications, executables, libraries, and scripts come from a known source, and were not opened, modified, or corrupted since they were signed. Here at VGS, we also sign our code commits in Github. Digital signatures verify the author’s identity or build system, and cryptographic hashes validate the code’s authenticity and integrity. Of course, as with any public key infrastructure (PKI) technology, this process depends on the security of its underlying cryptographic keys, and for that it is best to store the keys in tamper-proof hardware security modules.
Another way to raise the bar on security is to use the Open Policy Agent, which provides policy-based control for cloud-native environments with an open-source, general-purpose engine that unifies policy enforcement across your tech stack. OPA provides a high-level declarative language that lets you specify policy as code and has simple APIs. OPA can enforce policies for microservices, containers, Kubernetes, CI/CD pipelines, API gateways, and more. OPA generates policy decisions by evaluating query inputs against policies and data and may be used to answer questions such as which users can access which resources and from which registries a binary may be downloaded.
VGS Solutions
Unfortunately, supply chain attacks are all too common in today’s e-commerce landscape. In case after case, we see malicious code slip into otherwise secure environments.
This is why VGS provides multiple methods to securely collect sensitive data and why VGS insulates its customers from ever having sensitive data in their systems. VGS vaults original data in a secure environment, thereby offloading liability and removing the risk of a data breach. Our customers only operate on aliased data (which may be exchanged for the original data upon request, in real-time).
VGS uses modern browser isolation techniques to ensure that if your website is compromised, for example, via cross-site scripting (XSS), the bad guys still cannot access your customer data. Collect.js uses an iframe to isolate it. Further, by loading Collect.js from our hosts, VGS customers put the technical responsibility and legal liability for supply chain security squarely onto the shoulders of VGS.
When the full range of VGS security features are enabled, our clients never store sensitive information within their environment. It would require a significant compromise to reveal an alias, such as a dashboard auth compromise to create a revealing route.
Our Collect.js JavaScript library allows your company to collect data via web forms securely, has fast integration, input validation, a flexible data structure, is PCI-compliant, and has been penetration-tested. For VGS clients, don’t forget that you must always load VGS software directly from the VGS domain, using SSL encryption.
Securing your supply chain is one of the most critical and challenging aspects of running a modern company. At VGS, we understand that it takes a high level of trust to help our customers secure their supply chain, and we take that responsibility seriously.