How Malicious Actors Are Using Client Side Vulnerabilities To Steal Sensitive Data
Over the years, the payment card industry has focused on securing point of sale (card present) transactions. The addition of EMV and P2PE has improved the security of card present transactions. Software installed on payment terminals has to meet compliance standards and be audited for security.
E-commerce transactions are completely different. Page analytics, marketing automation, digital advertising applications, and other programs and software give merchants fantastic amounts of business intelligence.
However, this data collection wouldn’t be tolerated in a point of sale environment without many kinds of compensating controls locking down where and how those communications are happening, yet they are all allowed in an e-commerce environment. This has led to numerous vulnerabilities that e-commerce attackers have been exploiting for years. And with the improvements in security to card present transactions, more and more attackers are turning to e-commerce and other digital ways to steal sensitive information.
Aaron Willis, Principal Security Analyst at SecurityMetrics, found a case where the Apache caching module allowed attackers to upload malicious images that had php code in them. This allowed the attacker to add code to the website via the image upload. It’s easy to look at an image upload component and not see anything dangerous. It’s just an image after all. But utilizing the vulnerability, the attackers were able to upload full pages of code and take complete control of the website.
We’ve also seen cases where companies have a single page website and they add a WordPress blog. That blog is a plugin that now has direct access to the cart page because of the configuration of the website. If websites are not architected and configured for security, it is likely that vulnerabilities exist to give hackers access to the shopping cart environment.
If you hire a security consultant, they’ll check your static code on your server, but they won’t check the browser experience of the site. Malware/antivirus/vulnerability scanners typically just check the main page of a site. They’ll find the malware if it’s installed on the homepage, not if it manifests pages into a session. These more recent attacks target that very scenario.
For example, the malware is only installed on a checkout page and is only visible or only fires when a CVV field has been modified. Meaning, the malware is invisible to any kind of check (e.g., vulnerability scan, anti-virus) except a check that is actually mocking a real life purchase. The attackers want their malware to lay dormant and hide until they know credit card information is present.
These attacks may be triggered when a person puts in their credit card details, and if you don’t run your solution right at that exact moment, you may never see the malware. You might never see that any information was stolen.
SecurityMetrics WIM technology helps prevent these skimming attacks by running right at that precise moment–and checking what scripts are present at that time.
We help customers close data security and compliance gaps to avoid data breaches. We provide managed data security services and are certified to help you achieve the highest data security and compliance standards.
We are a PCI certified Approved Scanning Vendor (ASV), Qualified Security Assessor (QSA), Certified Forensic Investigator (PFI), and Managed Security provider with 20 years of data security experience.
From local shops to some of the world’s largest brands, we help all businesses achieve data security through managed services, compliance mandates (PCI, HIPAA, GDPR), and security assessments (HITRUST consulting and assessments). We have tested over 1 million systems for data security and compliance. We are privately held and are headquartered in Orem, Utah, where we maintain a Security Operations Center (SOC) and 24/7 multilingual technical support.