Modern eCommerce websites and business platforms are using dozens of external third-party apps to enhance their user engagement, site performance and conversion metrics. Third-party applications for analytics, heat-maps, ads, and chats are good examples.
Unfortunately, it’s not a bed of roses. These external applications are loaded remotely and can create additional entry points for an attacker, which are not protected by any of the traditional security controls such as WAF or IPS. Risks can escalate fast, as the modern eCommerce business has to deal with cybercrime, supply-chain attacks, breaches, financial damages, accountability, reputational damage, compliance, and safety audits.
Especially since the rise of the new Magecart threat. Magecart essentially involves hacking groups that specialize in gaining unauthorized access to websites and injecting malicious code into checkout pages. And how do they gain access? By exploiting third-party applications, a common phenomenon in the eCommerce space. …
You might have recently heard that eBay is performing port scanning while online shoppers are visiting their website. At first glance, this may sound a bit strange, as port scanning is an internal network action. But eBay is not alone. According to Bleeping Computer, a high number of well-established websites are conducting port-scanning. In this Medium post , I’ll try to shed more light on port scanning activities from the technical perspective.
How does an external website gain access and get the ability to conduct internal network scanning? What are their limitations, if any?
During the last few weeks, our research team in Reflectiz has been investigating a new web-skimming type campaign targeting e-commerce websites. The campaign deliberately collected users’ personal information, including credit-card numbers, from the checkout pages and other sections.
According to the research findings, this campaign commenced late 2019 and, until the time of our research, was still active, infecting hundreds of websites. The initial signs of this campaign were the registration of several malicious domains. This process continued until the end of March 2020, indicating that the attackers intended to remain undetected while exploiting their new targets.
As in identical web-skimming attacks, the offenders’ payload was injected after they had detected a vulnerability that allowed them to upload the malicious code into the eCommerce website. From there on, the code is loaded, either on checkout pages or even throughout the entire website, in order to extract users’ sensitive data. …
This article seeks to address a serious security risk of using an expired domain on websites, demonstrating the many threats that arise as a result of this situation.
Today’s businesses are highly collaborative on the digital level. One of the main results is the growing dependency on external third-party scripts. Running scripts belonging to third-party domains cannot be avoided, as website visitors are also linked to various third-party services. Businesses are now creating active communication between a users’ browser with the third-party domains (i.e., remote domains) to access the needed data and get enhanced browsing experience.
For example, an average company may suddenly be using over 100 remote domains while communicating with its end-users. What happens when remote domains become inactive or expire? The vendor no longer uses them, which means that your website should not be using them as well. However, since they are probably not managed as an organization asset, they still have an active connection to the users. Now, if hackers gain control over these domains, they gain direct access to your website. …