Cybersecurity Awareness Month is a good time to remind ourselves that the responsibility to secure the customer experience goes beyond our infrastructure and all the way out to the browser. For organizations that are passionate about protecting their customers, browser-based attacks are particularly frustrating because the impact directly affects customers. While some browser-based attacks such as web skimming steal customer data and thus victimize both the organization and the users, other attacks leverage an organization’s website to attack the customers or to attack another organization entirely.
Browser-based attacks occur when attackers inject malicious code into components that are served up onto a website. All modern websites include third-party scripts, and attackers have successfully injected code into several. Recent examples of browser-based attacks include Magecart and the ongoing proliferation of cryptomining malware.
Consider the different ways that a browser-based attack can impact your organization, impact your users, or impact organizations you don’t even know. As you assess the threat of browser-based attacks, know that attackers:
- Specifically target your site and your users. Magecart is a prominent criminal syndicate and focuses on skimming customer data from web forms to gain credit card numbers and personally identifiable information (PII). Both the user (who has had their PII stolen yet again) and the organization (which must deal with the consequences of a data breach) are victims. British Airways (which paid a $230M fine for its breach) and Ticketmaster UK were both targeted by Magecart.
- Leverage your site’s execution to target your users. In this scenario, your organization’s website is a means to an end; if an attacker can inject a malicious script somewhere onto your site (either through one of your scripts or through a third-party script), your customers will find their systems mining cryptocurrency or surreptitiously funneling personal data to a cybercriminal. Customers will contend with pop-ups, clickjacks, and other types of interference that drastically change their experience on your site.
- Convert your users to attackers. In this case, an attacker injects malicious code onto your website and uses it to turn your customers’ systems into bots. The attacker then turns the botnet on some other system or organization (think the Mirai botnet from a couple of years ago or one of the iterations of the 3ve ad fraud operation).
You may feel challenged to protect customers from browser-based attacks due to lack of control over a customer’s environment (their browser usage, their settings, their permissions, whether they click on the link, etc.). However, you must reduce the risk by:
- Regularly analyzing your own website scripts throughout the development lifecycle.
- Implementing client-side protections such as anti-skimming and malware protection.
- Deploying bot management solutions to detect and defend against botnets that result from browser-based attacks.
As attackers focus more on the client side, organizations must consider the impact of script and browser vulnerabilities more broadly. Work the above scenarios into your threat modeling, and think about how to best protect your customers and their experiences with your site. Applications continue to be the most common path for attackers; don’t let browser-based attacks be your weak link.