Your WAF can’t stop web skimming attacks from stealing your customers’ sensitive data

Your WAF can’t stop web skimming attacks from stealing your customers’ sensitive data

In the past, a web application firewall (WAF) may have been sufficient for preventing most of the security threats facing web applications because most of the complexity and risk was on your server — but this is no longer the case. Today’s web apps, modern browsers, and the widespread use of JavaScript means an increase in security threats that live away from your servers and outside of your security perimeter, such as the web skimming attacks being engineered by various Magecart groups.

What is Magecart? Magecart is a term that refers to several cybercriminal groups that steal credit cards and personal information primarily by exploiting vulnerabilities in third-party JavaScript and other third-party code to install the online equivalent of a credit card skimmer on web pages. 

The anatomy of a Magecart attack and how Instart helpsRelated Infographic

Magecart and other web skimming attackers are hard to detect

The high rate of success for these types of web skimming attacks is generally due to the fact that they are nearly impossible for IT teams to detect. Unlike physical skimmers that are used in stealing credit card numbers from ATMs, web skimmers are injected using malicious code that is often hidden in third-party JavaScript being used on your website and are loaded directly in a customer’s browser. In other words, these scripts bypass all your internal security controls — making them virtually invisible.

The average time it takes worldwide to detect a data breach is approximately 190 days — and in the current climate of data protection laws, the consequences of failing to detect a breach have serious consequences. In the case of British Airways, they were able to detect their Magecart breach after just 15 days, but the attack affected over 300,000 customers and saw them slapped with a $230 million fine. Can you imagine what the fallout would have been after another 50 days — let alone, 175? 

Your WAF isn’t the right defense for web skimming attacks 

Leveraging traditional solutions like a web application firewall (WAF) with customized rules against known vulnerabilities can dramatically improve your ability to secure your backend against application-level attack vectors, such as SQL injection, cross-site scripting, and cross-site request forgery. 

However, WAF security only offers limited protection for today’s expanding security perimeter. Early iterations of Magecart attacks infected sites by directly breaking into an organization through vulnerabilities in their own system — a tactic that could be detected by a web application firewall. But Magecart has been evolving to focus on compromising third-party JavaScript, which are loaded in the browser at runtime. In other words, none of the attack code  or exfiltration commands actually pass through your network, rendering WAFs useless against browser-based threats like Magecart and other web skimming attacks.

Prevent access directly in the browser

The challenge of keeping customer data safe today is fast becoming the biggest differentiator for building customer trust and delivering the best web experiences. A recent analysis of more than 133,000 websites found 37 percent had at least one JavaScript vulnerability, and another study found that more than 80 percent of websites are susceptible to infiltration from a malicious script.

So what can you do to protect your web apps and customers’ data?  

The only defense against web skimming attacks is to prevent all JavaScript from unauthorized access of sensitive data by adopting a zero-trust approach to third-party JavaScript. Instart’s web skimming protection gives you precise control over what JavaScript can access on your website. 

In addition, Instart adopts a zero-trust model that automatically blocks JavaScript access to all HTML form fields and cookies, unless they have been given explicit permission. This prevents any script, whether malicious, infected, or non-critical, from gaining access to sensitive customer data, such as names, addresses, credit card numbers, social security numbers, or passwords. 

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo