I’ve been asked a lot about Content Security Policy (CSP) as a possible solution for Magecart and other web-skimming attacks lately. Companies, mostly eCommerce sites, are actively looking for a way to handle this emerging threat. CSP, which is not a costly solution, has become an integral part of many security-toolboxes.

But is it the solution you really need to fight Magecart?

The Third-Party App Challenge

Modern eCommerce websites and business platforms are using dozens of external third-party apps to enhance their user engagement, site performance and conversion metrics. Third-party applications for analytics, heat-maps, ads, and chats are good examples.

Unfortunately, it’s not a bed of roses. These external applications are loaded remotely and can create additional entry points for an attacker, which are not protected by any of the traditional security controls such as WAF or IPS. Risks can escalate fast, as the modern eCommerce business has to deal with cybercrime, supply-chain attacks, breaches, financial damages, accountability, reputational damage, compliance, and safety audits.

Especially since…


Learn how and why eBay is port scanning its users.

Image for post
Image for post

You might have recently heard that eBay is performing port scanning while online shoppers are visiting their website. At first glance, this may sound a bit strange, as port scanning is an internal network action. But eBay is not alone. According to Bleeping Computer, a high number of well-established websites are conducting port-scanning. In this Medium post , I’ll try to shed more light on port scanning activities from the technical perspective.

How does an external website gain access and get the ability to conduct internal network scanning? What are their limitations, if any?


A new web skimming campaign, starting from the end of 2019, is impersonating Google web products in order to collect sensitive information from users on eCommerce websites.

During the last few weeks, our research team in Reflectiz has been investigating a new web-skimming type campaign targeting e-commerce websites. The campaign deliberately collected users’ personal information, including credit-card numbers, from the checkout pages and other sections.

Image for post
Image for post

Hundreds of Websites are Already Infected

According to the research findings, this campaign commenced late 2019 and, until the time of our research, was still active, infecting hundreds of websites. The initial signs of this campaign were the registration of several malicious domains. This process continued until the end of March 2020, indicating that the attackers intended to remain undetected while exploiting their new targets.

As in identical…


This article seeks to address a serious security risk of using an expired domain on websites, demonstrating the many threats that arise as a result of this situation.

The Risks of Ex-Domain Re-use on Websites and How to Stay Protected Against It by Reflectiz
The Risks of Ex-Domain Re-use on Websites and How to Stay Protected Against It by Reflectiz

The Challenges of Using Third-Party Domains

Today’s businesses are highly collaborative on the digital level. One of the main results is the growing dependency on external third-party scripts. Running scripts belonging to third-party domains cannot be avoided, as website visitors are also linked to various third-party services. Businesses are now creating active communication between a users’ browser with the third-party domains (i.e., remote domains) to access the needed data and get enhanced browsing experience.

For example, an average…

Idan Cohen

CEO and co-founder of Reflectiz, a cybersecurity company. Reflectiz is the first website-sandbox solution that mitigates the risk of third-party apps.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store