Weaknesses in e-commerce security

Weaknesses in e-commerce security
(Image credit: JanBaby / Pixabay)

The e-commerce market is on the ascension with global growth expected to increase by 20 percent by the end of 2019 to £2.9 trillion, before rising again to approach £4 trillion by 2021. The growth opportunities for e-commerce platforms are potentially boundless. Unfortunately, so too are the opportunities for threat actors wishing to exploit weaknesses in e-commerce cyber defences. 

The latest cyber attacks are aimed at online retailers and are designed to fuel card not present fraud by silently stealing card and customer credentials. These types of attacks require businesses to look beyond traditional endpoint security solutions if they are going to effectively combat evolving threats.

About the author

Aaron Lint is Chief Scientist at Arxan Technologies.

Tactics and techniques

Since the advent of ATMs and card readers, criminals have found ways to capture credit card details from unsuspecting victims with card skimmers. These paper-thin pieces of equipment can be inserted into the criminal’s chosen device to steal the data they need to commit fraud – card number, expiry date and even a PIN if entered.  

Now with so much credit card processing carried out online, threat actors have followed and are engaging in techniques that skim payment information as it is entered into e-commerce sites. Specifically, formjacking is a threat specifically targeting the input forms form embedded within e-commerce websites. 

The customer-facing web layer is targeted in order to siphon off a customer’s payment details as they are typed into online merchant services. Transactions complete as normal, and neither the customer nor the retailer may be aware that payment details have been stolen by a threat actor. 

Lack of security measures

Site administrators are also unlikely to realise anything is amiss because most web applications lack in-browser security measures or visibility to threats happening on the client side of their applications. The theft happens outside the purview of traditional perimeter security tools, like web application firewalls (WAF) or other cloud firewalls, because the malicious activity never crosses the targeted website’s data center boundary. 

Even if an organisation detects and removes the malicious implant from their website, some groups use tactics such as network heartbeats and code signing to alert them in the event their code was detected so that they can go back and re-infect the website to keep persistently stealing data. 

Once they have this complete card information for identity theft, colloquially known as “fullz”, criminals can either monetize it by selling it on the black market to the highest bidder or, purchase goods online to commit secondary card not present (CNP) fraud.

Symantec research

Research by Symantec reveals that some 4,800 websites are affected by formjacking attacks each month. Unfortunately, most endpoint or network security solutions offer little defence against covert these attacks, given that this attack will never touch any assets which are subject to that scanning or protection.  

One of the emerging ways that attackers can introduce code into an existing site is via the supply chain of third-party code integrated into the application. This is a lucrative force multiplying opportunity for an attacker. If they can inject quietly into a lower level dependency, that malicious code can be deployed en masse through the normal deployment of the site. 

This method of injection can then expose thousands to hundreds of thousands of end customers to malicious code, without a single compromise of company-owned infrastructure. 

Protecting your customers

There are a number of measures e-commerce businesses can take to mitigate the risks of formjacking style attacks and protect themselves and their customers. The first course of action should be to ensure any shopping cart software, such as Magento or Shopify, or tools used to run an e-commerce website are up-to-date with the latest software, and all patches are installed immediately to address any bugs or potential security vulnerabilities. Organisations should also conduct regular web code audits and penetration tests to ensure websites, including any third party apps, have not been compromised.  

The next defensive technique that should be implemented is a protection solution that can deliver several defensive layers. First is code obfuscation – the process of making Javascript or HTML5 code difficult to understand making the reconnaissance phase of an attack expensive for the attacker. In parallel, there is a competitive advantage with the visibility of if a web app is currently under attack. 

This threat detection can then be used to understand the extent of an attack allowing the business to take appropriate action – such as blocking the transaction, requiring step-up authentication, or increasing the suspicion levels of subsequent transactions. These are all actions that can disrupt the weaponization phase of an attack preventing attackers from inserting malicious code.

Protection solutions

Lastly, a comprehensive protection solution should have the ability to block any web server connections by the web app to stop the exploitation phase of an attack. In the event of an undiscovered supply chain attack the ability of a web app to only allow communications with approved web sites will prevent any data exfiltration attempts, effectively stopping the monetization phase of a Magecart/formjacking style attack. 

The threat of Magecart/formjacking attacks and supply chain injection is only going to intensify and evolve as threat actors continue to see success using these types of attacks. Therefore, e-commerce companies need to review their security posture and implement in-app and website security measures that can help prevent these types of attacks at each stage of attack – reconnaissance, weaponization and monetization – before it’s too late.


Aaron Lint is Chief Scientist at Arxan Technologies.

Aaron Lint is Chief Scientist at Arxan Technologies.