July 04, 2019

Web-Based Supply Chain Attacks in the Enterprise

by Jscrambler

Web-Based Supply Chain Attacks in the Enterprise

A company's website or web app has become the perfect stage to steal its users' data.

For long, data breaches were perceived as a direct result of attackers gaining unauthorized access to a database. Companies were urged to protect everything inside the firewall. Arguably, the servers of today's enterprise are more secure than ever, as new legislation like GDPR pushed forward hefty fines for data breaches.

Despite this push for increased security, some reports found a 424% increase in data breaches in 2018. Other research pointed out that 59% of companies experienced a data breach caused by one of their vendors or third-parties.

And here we find two distinct approaches by which companies can be breached. While a first-party data breach most often requires attackers to infiltrate a database, third-party data breaches originate from attackers going after the enterprise's smaller, less secure providers which are the weakest link in the supply chain — hence the term Supply Chain Attack.

Try Jcrambler For Free

Zooming into 2018 and 2019, we find a clear pattern in supply chain attacks targeting the enterprise: a web-based vector of attack. Attacks to Equifax, British Airways, Ticketmaster, and Forbes were achieved with malicious code that was injected into companies' websites and then run in its users' browsers. A company's website or web app has become the perfect stage to steal its users' data.

Most third-party code providers don’t have enterprise-grade security systems, and yet this external code has the same permissions as the code that companies develop in-house. — Pedro Fortuna, Jscrambler CTO, on TechRadar

Web-based Supply Chain Attacks thrive because it's not hard for attackers to find a poorly secured third-party that is used by one or several large enterprises.

Let's not forget that 67% of the scripts loaded in today's average web app come from third-parties. And when we move past scripts that come from reputable sources like Google, we find others that are built and maintained by a single developer — such was the case of the event-stream incident, where all it took was for the malicious actor to ask the original developer for access to maintain the code base.

Use of Third-Party Scripts

When the attacker compromises these third-party scripts by injecting malicious code, companies' perimeter defenses actually fail to detect the attack, since it initiated in a component of the system that was trusted by default.

Whether the attack seeks to steal user credentials, use the user's computer to mine cryptocurrency, or steal the user's credit card (such is the case of Magecart attacks, which amounted to over 50,000 incidents in 2018), the fact remains that current approaches fall short. Short enough to put entire businesses at stake.

Much like today it is inconceivable for an enterprise not to have a Web Application Firewall (WAF) in place, there's too much on the line not to have a client-side security system that actively detects and mitigates web-based supply chain attacks in real-time.

In case you're interested to know more about these attacks and see a demonstration of Webpage Integrity's mitigation approach, book a demo here!