Preventing Client-side Supply Chain Attacks

What are Client-side Supply Chain Attacks?

Client-side supply chain attacks happen as a result of cybercriminals exploiting vulnerable JavaScript code from partners or the open source community that delivers functionality to enrich a site visitors’ experience. Common functions such as ad tracking, payments, customer reviews, chatbots, tag management, and social media integrations often come from third-parties or trusted vendors, freeing up app dev to focus on innovation. Attackers exploit vulnerabilities in the first, third, fourth- and nth-party JavaScript running on your site to steal payment data and personally identifiable information (PII) from your users. This shift to using third-party code leaves modern web applications vulnerable on the client-side where legacy security tools are blind.

On average, 70% of website code is pulled in from partners and open source libraries. This code often utilizes other code, creating a supply chain of externally sourced JavaScript that website owners cannot always see or control. Cybercriminals inject malicious scripts into vulnerable code in these external libraries, and websites that use the code now have the malicious scripts actively running on their sites. These harmful scripts skim payment data and PII in a variety of supply chain attacks that include digital skimming, Magecart, PII harvesting and formjacking.

Falling victim to a client-side supply chain attack exposes user data, damages brand reputation and leads to lawsuits due to noncompliance with data privacy regulations. And without the right security protocols, these attacks can go undetected for long periods of time.

Types of Client-side Supply Chain Attacks

In client-side supply chain attacks, cybercriminals exploit vulnerabilities in client-side JavaScript to inject malicious scripts that skim payment data and PII. There are many types of client-side supply chain attacks, but most often these take the form of:

  • Digital Skimming and Magecart - A digital skimming attack steals credit card information or payment card data from visitors to your online store. Attackers take advantage of the security weaknesses in website shadow code, including third-party JavaScript and open source libraries. Digital skimmers inject malicious code into the third-party scripts on your website that steals credit card data from your users.

  • Formjacking and PII Harvesting - In these attacks, criminals inject malicious scripts into vulnerable JavaScript code in your website forms to alter their behavior. This allows them to collect PII that users submit, typically on a login or checkout page. PII may include social security numbers, usernames, passwords, pin numbers and addresses.

Why are Client-side Supply Chain Attacks Difficult to Detect?

Client-side supply chain attacks can easily go undetected for several reasons.

  • Lack of visibility at runtime - JavaScript code executes on the client side, meaning that it runs on users’ browsers rather than the central web app server. Because of this, it can be difficult to detect unauthorized changes at runtime. This includes scripts that load dynamically in users’ browsers and third-party script behavior that could load resources from malicious domains.
  • Frequent code changes - Third-party libraries are continually being iterated on and updated. Even if a script is reviewed when it is first added to a site, it does not mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, often without their knowledge.
  • Nth-party vendors - Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for code may be undisclosed, lengthening the software supply chain and increasing business risk. In certain instances, it may be the nth-party script down the line that is vulnerable, which can have a detrimental effect on the entire software supply chain.
  • Insufficient security reviews - Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.

Impacts of Client-side Supply Chain Attacks

Client-side supply chain attacks lead to severe business consequences regarding:

  • Compliance penalties - Many countries and states have enacted data privacy legislation, including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Businesses are liable for hefty fines if they do not comply with these regulations — even if it’s due to an attack on a third-party vendor.
  • Financial liability - Consumers may file lawsuits against businesses that expose their personal data to cybercriminals in a client-side supply chain attack. Brands are liable for any data breach on their site, including one that arises from third-party components and services that are introduced to users from a software supply chain.
  • Brand reputation - If your brand suffers a client-side supply chain attack, consumers whose data was compromised will lose trust in your brand and go elsewhere. Furthermore, press coverage of the attack may dissuade new customers from choosing to engage with your company, and it can negatively impact your stock price if you are a public company

All in all, client-side supply chain attacks lead to severe financial losses. In some cases, top executives may be forced to resign, as happened to the CEO of Target following a data breach resulting from supply chain code.

How are Companies Fighting Client-side Supply Chain Attacks?

Traditional cybersecurity solutions like Web Application Firewalls (WAFs) are insufficient in protecting the client-side against digital skimming and PII harvesting attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of malicious code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration and deployment cycles. Content security policies (CSP) are often the first step for many web application security professionals. Because CSPs were originally used for protection against cross-site script execution, they need a lot of tuning. CSPs alone don’t provide any protection against a compromise of a trusted domain that can be used to inject a skimmer on the website. Feels like we also need to add a comment here about the all or nothing nature of CSP - a script is on or off - and that the need for more granular control is key…

Modern client-side application security solutions can continuously monitor all of the scripts on your website for anomalous behavior and automatically groom CSP rules to help stop digital skimming and PII Harvesting.

Stop Client-side Supply Chain Attacks with PerimeterX Code Defender

PerimeterX Code Defender is a client-side web application security solution that provides comprehensive real-time visibility and granular control into your modern website’s client-side supply chain attack surface, to identify vulnerabilities and anomalous behavior and proactively mitigate risk.

Stop Client-side Supply Chain Attacks with PerimeterX Code Defender

Code Defender continuously identifies vulnerabilities and anomalous behavior, and proactively mitigates risk of first, third and nth party scripts in real users’ browsers. Code Defender uses multi-layered protection including comprehensive client-side mitigation, providing granular control over legitimate JavaScript to enable customers to block specific actions without blocking the entire script, complementing CSP capabilities. With deep knowledge of how attackers think and act, the solution protects your digital business from client-side supply chain attacks and data breaches.

© PerimeterX, Inc. All rights reserved.