Some tips for effectively combating Web supply chain attacks and customer hijacking via browser extensions.

Pedro Fortuna, CTO and Co-Founder, Jscrambler

December 13, 2021

5 Min Read
Christmas presents
Source: Piotr Kaźmierski via Alamy Stock Photo

Every year, we hear about how the holiday shopping season is set to break all previous records. According to recent data from the National Retail Federation, 2021 won't be any different, with sales in the US estimated to grow by 10% over last year's numbers, topping out at $859 billion, excluding automobile dealers, gasoline stations, and restaurants. That's simply too big a pie for cybercriminals to ignore.

While retailers have spent months preparing their logistics chains and stocking their shelves to support this growing demand, I can't help but ask: What have they done to bolster their cybersecurity posture?

To answer this question, let's look at two of the most effective and widely used website attacks cybercriminals use to rob e-commerce businesses:

Web Supply Chain Attacks
In the fallout of the SolarWinds attack, there has been an unprecedented push toward improving the security of global software supply chains. A big driver of this push was the May 2021 executive order by the White House on improving the US security posture. The executive order itself is quite clear on why this is an urgent matter. "The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack and adequate controls to prevent tampering by malicious actors," it reads.

E-commerce sites are especially prone to Web supply chain attacks, as attested by a long history of Magecart Web-skimming attacks that breached companies such as British Airways, Macy's, Ticketmaster, and Newegg. Attackers are taking advantage of the exposure that e-commerce sites have to third-party vendors; on average, each site runs 35 services provided by third parties. That's almost three dozen weak links that need to be hardened.

By breaching one of these third-party vendors and injecting a malicious payload into one of their services (conceptually similar to SolarWinds), attackers can breach thousands of websites in one go. These attacks can leak credit card data and personally identifiable information and often remain undetected for months.

A report by IBM states that the average cost of data breaches in retail grew 63% in 2021 alone, partially fueled by digital transformation and remote working. All in all, a strong indicator that leaking data is still one of the most common goals for attackers targeting e-commerce companies.

Customer Hijacking
In today's highly competitive e-commerce landscape, every retailer is fighting a fierce battle to retain customers' attention and interest. An online shopper's attention span is feeble, and so retailers have spent years meticulously optimizing their webpages to improve the user experience and maximize conversion rates.

However, these carefully optimized conversion flows are often disturbed by external factors. A common customer hijacking attack happens through user-installed browser extensions or price comparison tools. These display price comparison pop-ups, coupon codes, and similar information directly on the page that the user is browsing. By clicking on these, the user is typically led to a competitor's website and away from the original site being browsed.

Our own internal research shows that around 5% of an e-commerce website's user sessions are affected by this type of hijacking. In the scope of a global retailer, this can represent millions in lost revenue per year (a good chunk of that during the holiday shopping season). And if we take it in the context of expected online spending this holiday season, that's $42.95 billion on the line.

Another example of customer hijacking relates to a compromise of a website component (which may happen as a result of a supply chain attack). There have been cases where such a compromise is used by attackers to serve malware to users directly through the e-commerce site (such as what happened to Equifax and TransUnion in 2017). Not only does this completely disturb the user experience, it compromises the brand's image and reputation.

Addressing the Security Gap
While the tactics, techniques, and procedures used in these attacks are quite different, both stem from the same clear security gaps: lack of visibility and control over what happens on the client side (i.e., everything that takes place on the browser or end-user device).

At this very moment, there are likely thousands of e-commerce sites leaking data into the hands of attackers and disrupting the user experience of shoppers without any awareness of the companies being attacked. This happens because these companies failed to go beyond traditional security approaches (like using a Web application firewall) and did not implement proper security controls on the client side.

To gain this visibility, companies can take a quick and easy first step: Look for signs of malicious behavior in every user session, such as a third-party component attempting to tamper with a payment form or a browser extension displaying a pop-up ad. But visibility is only half the battle. Companies must take further steps and use technology capable of blocking the source of this behavior, effectively preventing Web supply chain attacks and customer hijacking.

In the holiday shopping rush, with a record number of people predicted to be shopping online, it's crucial that retailers adopt the proper security controls. These two attack vectors can and should be addressed. Failing to do so may result in a record-breaking feeding frenzy for cyberattackers.

So, what have retailers done to deal with these complex cybersecurity threats? It's hard to tell for sure, but let's hope that the answer isn't "Not enough."

About the Author(s)

Pedro Fortuna

CTO and Co-Founder, Jscrambler

Pedro Fortuna is the CTO and Co-Founder of Jscrambler. With extensive experience in academia and as a security researcher, Pedro has co-authored several application security patents. He is an active member of the AppSec community, contributing to OWASP and regularly speaking at events such as OWASP AppSec USA, DEFCON, and BSides SF.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights