What are supply chain attacks?

What are Supply Chain Attacks?

Supply chain attacks are when cybercriminals attack your third-party vendors in order to breach your site. Attackers exploit vulnerabilities in the third, fourth- and nth-party JavaScript running on your site to steal payment data and personally identifiable information (PII) from your users.

Up to 70% of the average website is comprised of code pulled in from partners and open source libraries. This code often calls other code, creating a supply chain of externally sourced JavaScript. Cybercriminals inject malicious scripts into vulnerable code in these external libraries, and websites that use the code now also have the malicious scripts running on their sites. These scripts skim payment data and personally identifiable information (PII) in digital skimming, Magecart, PII harvesting and formjacking attacks.

Falling victim to a supply chain attack exposes user data, damages brand reputation and leads to lawsuits due to noncompliance with privacy regulations. And without the right security protocols, supply chain attacks can go undetected for long periods of time. Recent research found that 93% of companies suffered a cybersecurity breach through weaknesses in their supply chain in 2021.

Types of Supply Chain Attacks

Web applications have two main components: the server and the client. The server holds the application code, stores data and processes operations. The client is the user’s browser where the web application is delivered.

To carry out supply chain attacks, cybercriminals can target the server or the client.

  • In client-side supply chain attacks, cybercriminals exploit vulnerabilities in client-side JavaScript to inject malicious scripts that skim payment data and PII. There are many types of client-side supply chain attacks, but most often these take the form of digital skimming and Magecart or formjacking and PII harvesting.
  • In server-side supply chain attacks, cybercriminals compromise the code that runs on the server side. This allows attackers to steal stored customer or employee data, access and modify internal configurations, hijack bandwidth or intercept money transfers.

How do Supply Chain Attacks Work?

More than 99% of websites use code from third-party vendors to build their sites. Examples of this are social sharing buttons, advertising iframes, payment iframes, chatbots, analytics and metrics scripts, A/B testing scripts for experiments and helper libraries such as jQuery.

In order for such code to work, developers must grant the third-party JavaScript some level of access to their site, apps and data. This means that JavaScript has the ability to access, modify, create an alternative for and remove anything from the page, including UI elements, object prototypes, storage assets and network activity.

Cybercriminals understand the power that JavaScript has. They target weaknesses in this code, thereby gaining access to every website that uses it. The goal is to steal PII and payment information. This stolen data fuels a continuous cycle of cyberattacks, including credential stuffing, carding and account takeover (ATO). Here are a few of the vulnerabilities that are commonly exploited in supply chain attacks:

DOM Modification

The Document Object Model (DOM) is a programming interface for web documents that represents a webpage and the relationship between all of its elements. It allows JavaScript to interact with and modify a page. By modifying the DOM, malicious JavaScript can display fake content, serve unauthorized ads, show a made up form asking for PII and PCI information, and make other changes to a webpage.

Browser Storage Data Access

Today’s browsers support cookies, session storage, local storage and other types of web storage, all of which usually hold sensitive user data. Third-party JavaScript likely has the ability to read and modify this storage. If cybercriminals exploit this code, they can access or change PII, social network tokens, affiliation codes, session keys, user histories and clickstreams.

Network Sniffing and Manipulation

JavaScript code can extend or modify supporting system software locally to change network call parameters, content, headers and target domains — also known as a monkey patch. In addition, it can clone its entire content and modify the target, thus replaying the same network request. Cybercriminals can abuse this capability to fake the appearance of a browser or a web application.

Data Harvesting

JavaScript can monitor browser events, form field input changes and user interactions, and collect the data. If the code is compromised, any data on an application could be stolen and exfiltrated by cybercriminals.

To learn more about Shadow Code, check out the new e-book.

Read e-book

Why Are Supply Chain Attacks Difficult to Detect?

Client-side supply chain attacks can easily go undetected for several reasons.

  • Lack of visibility at run-time - JavaScript code runs on the client side, meaning that it runs on users’ browsers rather than the central server. Thus, it can be difficult to detect unauthorized changes at runtime. This is especially true for scripts that load dynamically in users’ browsers at runtime. Also, the third-party script behavior at the runtime is unknown and it could load resources from malicious domains.
  • Frequent code changes - Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, often without their immediate knowledge.
  • Nth-party vendors - Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for code may be undisclosed, lengthening the software supply chain and increasing business risk. It may be the nth-party script down the line that is vulnerable, and this can affect the entire supply chain.
  • Insufficient security reviews - Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and thus may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.

Impact of Supply Chain Attacks

Supply chain attacks negatively impact businesses in several ways.

  • Damage to brand reputation and consumer trust - If your brand suffers a supply chain attack, consumers whose data was compromised will lose trust in your brand and go elsewhere. Furthermore, press coverage of the attack may dissuade new customers from choosing to engage with your company.
  • Lawsuits - Consumers may file lawsuits against businesses who expose their personal data to cybercriminals in a supply chain attack. Brands are liable for any data breach on their site, including one that arises from third-party components and services that are introduced to users from a software supply chain.
  • Regulatory fines - Many countries and states have enacted data privacy legislation, including the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Businesses are liable for hefty fines if they do not comply with these regulations — even if it’s due to an attack on a third-party vendor.
  • Impaired functionality - Supply chain attacks can affect a company’s ability to deliver products and services. This affects business continuity and creates data inaccuracies, making it hard for applications that use a compromised vendor to function. This results in revenue loss and a competitive disadvantage.
  • Lower stock value - Your stock price may plummet following a supply chain attack, and investors may sell your stock to circumvent losses.

All in all, supply chain attacks lead to severe financial losses. In some cases, top executives may be forced to resign, as happened to the CEO of Target following a data breach.

Read the Osterman research about how to comply with the CPRA.

Read Whitepaper

How to Prevent Supply Chain Attacks

Businesses can prevent supply chain attacks by vetting their third-party code vendors. Before onboarding a new vendor, ask them detailed questions about their data security protocols and compliance with privacy regulations. Include specific security requirements and penalties for non-compliance in vendor contracts to mitigate the possibility of supply chain attacks.

Take a zero-trust, least privilege approach to third-party vendors. Do not allow JavaScript code more access rights and privileges than are necessary for it to function properly. Continuously assess and validate JavaScript code that accesses your sites and networks, using content security policy (CSP) rules and client-side browser-based JavaScript blocking to stop malicious script injections from loading to prevent data transfer.

How Does PerimeterX Prevent Supply Chain Attacks?

PerimeterX Code Defender is a client-side application security solution that protects websites from client-side supply chain attacks. The solution continuously monitors and builds a behavioral baseline of all first-, third- or Nth-party client-side scripts on a site and flags anomalous activity, including behavior changes, communication with new network domains or DOM modifications. Code Defender provides robust insights into JavaScript activity over time and uses a comprehensive mitigation approach that includes a combination of CSP and granular client-side JavaScript blocking to mitigate risk. This prevents data breaches and ensures compliance with privacy regulations.

© PerimeterX, Inc. All rights reserved.