The modern web is ripe for exploitation
On websites today, less than 1/3 of the code is native to the website and more than 2/3 of the code loaded into the browser (tag management, analytics libraries, form builders, audio/video integration, social media, etc.) is fetched from a third party. Each integration with third-party services provides an additional opportunity for a client-side attack. Given this paradigm shift in the way modern web applications are architected, what does it mean for the enterprise to have control and secure the application and its users today?
Anatomy of a typical Magecart attack
What can website owners do?
The best defense against client-side attacks like Magecart starts with identifying how much third-party code is running on your site. The next layer comes with establishing the norms of behavior for those applications. Security standards like Content Security Policy (CSP), Subresource Integrity (SRI), HSTS, iFrame sandboxing, Referrer-policy and others protect web applications as they execute on client devices. Deploying these standards is the best way to protect your business from financial and reputation loss while maintaining a website that runs quickly and smoothly. In the case of the Focus Camera breach, standards based policies and headers would have ensured that the attack was defeated. Injecting SRI hashes into the scripts can prevent the execution of the malicious modified scripts altogether. In cases where scripts are not hashable, exfiltration of sensitive data can be prevented by deploying a very fine-grained Content Security Policy that restricts the connections made to unauthorized endpoints, such as “zdsassets.com” used in this attack.
Fighting Magecart doesn’t have to be difficult
Tala’s innovative solution ensures that all types of client-side attacks are prevented in real time, without impacting website performance. We do this by automating standards-based security, natively available in every modern browser. This means no overhead and no impact on website performance.
Securing websites against this accelerating attack should be an imperative for every website owner. Learn more about how Tala prevents Magecart here.