Guess what? Corporate websites are out of your control

Recognizing how websites and mobile apps have transformed business models

website shadow IT

Marriott. Toys R Us. Darden Restaurants. Wal-Mart. Kraft. Neiman Marcus. Dell. What do these diverse companies have in common? They are all digital publishers.

As highlighted in a recent article, Dell spends millions of dollars each year developing content for their public-facing website. From placing advertisements to writing stories about women in technology to creating informative videos, Dell recognizes the power of digital content as an important part of the sales process. And their public-facing website serves as the primary communication channel to their most valuable asset—the customer. Dell isn’t alone.

Once relegated to traditional media companies, the concept of a digital publisher has morphed to encapsulate any organization that uses digital channels to promote their business—either directly with coupons, product reviews and ecommerce capabilities or indirectly via promotional videos, polls and recipes. In effect, any firm with a digital property—website or mobile app—should consider themselves a digital publisher.

Digital content is outside your control

Digital content and the channels through which it is acquired and delivered requires a new approach to security.

High-quality, informative websites and mobile apps attract visitors, and this attention draws evildoers. Looking to capitalize on your hard-won customers and website traffic, these bad actors mine for poor web code to exploit. They redirect visitors outside your page, launch malware downloads, and steal valuable visitor data, to name a few actions that no reputable business wants. In fact, online and mobile channels are the primary vectors for malware, with 85% of all malware distributed via the web.

Securing public-facing digital properties should be easy, right? The challenge is that most of the code delivering the interactive and engaging user experience that renders on the site visitor’s browser is from a third party and therefore outside your control. As a matter of fact, third-party code makes up more than 78% of the code found on Fortune 1000 websites. Think about it. Almost every corporate website uses video, blog, talent acquisition and social media tools in addition to the standard backend data analytics and marketing platforms. Though incorporated into your website design, these third-party providers execute outside your website’s technical operation thereby minimizing your ability to control their security or activity. And they are often compromised. (Read more about third-party code providers.)

Responsibility of Securing public-facing digital properties

Viewed from a digital publisher lens, strategic business growth depends on delivering a top-notch user experience to website visitors and mobile apps users—customers and employees. Securing these digital properties means closely monitoring third-party activities to ensure they are not dropping malware, collecting unauthorized user data or negatively impacting site performance.

With digital publishing comes responsibility. Embrace it.

Leaving the light on…and exposing visitors to malware

Hotel websites are vulnerable to malware and data leakage

Hotel website security

The hotel industry is poised for continued growth in 2015, coming off a stellar 2014 which saw occupancy rise to levels not seen in more than 20 years. With the World Tourism Organization projecting more than 1.4 billion international journeys in the year 2020, you can bet that hotel websites will play a central role in fulfilling these travel needs.

What are hotels doing to secure a share of this volume? Many incorporate video, add feedback collection and recommendation features, leverage blogs, or enhance the content management system. These various services provide for a more interactive and engaging website, as well as enable the site to be optimized. But, did you know that they also represent an entry point for malware and data leakage that can expose a customer’s personally identifiable information?

Yes, hotel ecommerce sites are rife with third-party vendors. As outlined in our recent blog post, brand and ecommerce site managers are not doing enough to protect the online and mobile environment FOR their customers. And hotel websites are no different. In fact, current industry rumors point to a manipulation of an account-checking tool used by a major hotel chain. The compromised tool, in concert with stolen passwords, allowed fraudsters to open new accounts and transfer rewards points which were then exchanged for gift cards. So that got The Media Trust thinking about other website vulnerabilities faced by hotels.

In early December, The Media Trust analyzed the 34 top hotel websites, as listed in STORES magazine’s annual “2013 Top 250 Global Hotels” report published in January 2014. Analysis involved the scanning of all public-facing website pages and the capture of all third-party vendors, domains and cookies present on each hotel’s site.

Over a seven-day period, The Media Trust’s Media Scanner scanned each hotel’s website homepage and major sections 250 times a day—a total 1,750 scans across each site. Each scan executed the web page as if being viewed by a typical consumer, and collected and analyzed all third-party code, content and text for security, latency and data leakage issues. Leveraging our presence in more than 500 global locations, The Media Trust replicated a true user experience as if a real consumer visited the website, and therefore did not have the ability to collect actual visitor data.

The results were interesting. The average site utilized 47 different domains, 31 vendors and 65 cookies; however, some outlier hotel sites used as many as 134 domains and 148 cookies.

                                      Average       High

            Domains:             47              134
Vendors:              31                57
Cookies:              65              148

What does this mean? That’s a good question. In theory, low numbers are preferred from a manageability perspective as each domain, vendor or cookie represents an access point to or action on a site—the fewer utilized in site operation, the fewer to manage. However, the reality is that a sizeable number of third-party vendors, domains and cookies are found on most sites as they provide the interactive and engaging functionality executing on browsers.

This functionality comes at a cost. Each third-party vendor represents an access point that could be compromised and serve malware; or, redirect visitors to another, possibly malicious, website or app; or, secretly collect website visitor (first-party) data. In addition, each third party can call dozens of fourth or fifth parties which exponentially increases the risk to site visitors.

Browser cookies provide essential site functions, including the ability to navigate without repeating data entry such as destination, travel dates and room requirements. However, the process of dropping the cookie can easily be compromised by an unauthorized party piggybacking on the cookie. In addition, some third-party vendors drop cookies to collect website visitor/first-party data without website owner/operator knowledge. Known as “data leakage”, these cookies track valuable user behavior—data about guests, their interests and travel periods—which can be resold into the online ecosystem for customer targeting by competitors or industry partners. If that data includes personally identifiable information (PII) the website owner/operator could be subject to data privacy violations. With state attorneys general and the federal government cracking down on PII, hotels must be mindful of public-facing website properties and what is executing on visitor browsers.

Hotel websites are vulnerable to data leakage and malware, and this vulnerability opens the door to litigation and significant brand damage. For these reasons website owner/operators need to thoroughly identify, approve and monitor third-party vendors and their activities at all times.

The big question is: How are the major hotel chains managing their public-facing websites to protect their customers?

What’s on your website? And what’s it doing there?

Recognizing the risks of third-party code on brand and ecommerce websites.

That’s a simple question, right? You’d think that IT, infosec and ecommerce/digital operations would know—that they would want to know—which third-party domains execute code on their company’s website. The reality is they don’t know, exposing their site and their site’s visitors to the constant threat of cyber attacks in the form of malware drops or domain redirects.

Today, most organizations recognize that online and mobile ads serve as major conduits for malware, but they remain ignorant to the risks associated with third-party code executed on their website. They fail to understand the value of knowing how many third-party vendors and domains access their site each day, week or month. Failure to track third-party code activity or the length of time the domain remains on a site opens the door to malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations.

And don’t forget that many of these vendors may require a fourth-party to enable their functionality, which means the average website can have hundreds of domains accessing the site at any one time. In fact, the preponderance of source code executing on Fortune 1,000 websites is third-party code—just think of the latency challenges!

That figure sounds high until you take into account the third-party services required to render a single URL: blogging, video, data analytics, comments, chat, product reviews, marketing automation, etc. These various services provide for a more interactive and engaging website, as well as enable the site to be optimally monetized.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

Purveyors of malware attack for two primary reasons: simple profit or publicity, with the Sony Pictures Entertainment breach being the most recent high-profile example. Due to the heavy reliance on marketing analytics, plug-ins and third-party content, brand and ecommerce sites are prime targets for a large-scale attack orchestrated through an unknowing accomplice: a third-party executing code on an ecommerce site. And it won’t be for harmless fun. These cyber criminals leverage corporate websites to drop malware on site visitors, which typically includes employees, that mines for system vulnerabilities, syphon valuable customer data or redirect consumers to alternative and possibly competitive sites.

When this happens, what will you do? Instinct is to shut down the entire property until you can locate the malicious code—a process that can take hours of searching. This is an expensive solution, because not only do you spend resources pinpointing the problem but you also won’t be able to deliver promised ads or process customer transactions, and your brand will be forever tarnished.

The best defense is continuous monitoring of third-party vendors to catch the moment they are compromised and before significant harm is unleashed. Through constant scanning of these website partners you will know the instant an anomalous activity is detected, whether it be suspicious code or a domain redirect.

Think about it the next time you visit your company’s website to read product reviews, catch up on the latest blog post, chat with the help desk or watch an entertaining video. Do you really know which vendors enable these activities? Have you authorized their presence and activity? Once you have a handle on this information, securing your business’s online presence becomes easier.

 

SEA attack is no surprise

Ecommerce website losses estimated in the millions of dollars.

Boom! There it is. As expected, someone took advantage of the holiday season to make a statement, and hacking into media and corporate brand websites is one way to get the world’s attention.

Early yesterday morning at 6:38 a.m. EST, The Media Trust was the first security company to detect a pop-up screen stating the Syrian Electronic Army (SEA) had hacked a website, first in mobile and then online environments. The ongoing, 24/7 scanning of more than 25,000 websites through our Media Scanner services allowed us to quickly detect the hack and prepare our clients for battle.

Upon detection of this pop-up message, The Media Trust’s Malware Team immediately analyzed the code and determined it stemmed from a call made by Gigya, a customer management platform used by more than 700 leading brands. The Malware Team immediately contacted affected clients so they could quickly remove and then block the malicious file, thereby helping clients avoid the time-consuming hassle of tracking down the issue’s source.

This was an indirect attack, because it compromised the DNS server at gigya.com, which is hosted by GoDaddy. The SEA did not gain access to the Gigya servers; instead they redirected Gigya’s Internet traffic to its own servers and then served a file called “socialize.js” which displayed the SEA’s message.

As with their past attacks, the SEA targeted media outlets and focused exclusively on websites and was not related to any ad content. The SEA attack did not distribute malware and was designed as an effective publicity stunt. Yet, what’s to stop them from doing something worse the next time? And, let’s be honest, even without the presence of malware, a message on an ecommerce site stating that it has been hacked, even for a few hours, results in lost transactions – those few hours translate into millions of dollars of unrecoupable revenue.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. As The Media Trust cautioned in last week’s blog post, the holiday season is when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Keep in mind that The Media Trust’s Media Scanner detected this attack before Gigya. Do you want to know about your website being comprised so you can take action before the world knows? Think about it.

Ecommerce: Are you ready for the 2014 holidays?

It’s the most wonderful time of the year…for ecommerce.

For many, the cooler temperatures and shorter days signal the start of holiday shopping, and the 2014 holiday season is expected to witness a 15.5% increase in ecommerce sales. Mobile transactions will constitute a third of that number generated, with the average consumer spending $248 online. For others, the increased volume of online shopping serves as a tempting target for web-based attacks in the form of malware, and consumers are the innocent participants.

Malware attacks skyrocket during the holiday season. This makes sense when you consider that more than 25% of total U.S. annual online sales are expected to occur in November and December.With more than $6.5 billion in ecommerce sales expected this year, you can bet the online ecosystem will be targeted.

Much like retailers stock the shelves, ecommerce sites load up with images, product descriptions and advertisements promoting this season’s must-have items and offering discounts in preparation to cash in on the uptick in website visitors. However, this super-sized volume also attracts those looking to make a quick buck by taking advantage of your customers and their online shopping activities. They hijack your ads or third-party content to deliver nefarious code that auto installs on your site visitor’s device. Often, due to fraudsters’ ever-increasing sophistication, these ads or images don’t even require user action. The process of simply serving the impression of an infected ad, image or product review can set the malware wheels in motion.

The Media Trust has had a front-row seat to these activities for the past few years, witnessing the doubling and sometimes tripling of attacks via web-based advertisements or “malvertising” from November through January. The attacks typically kick into high gear on the Wednesday before the U.S. Thanksgiving holiday, a time when many employees charged with supporting and maintaining your website are at home enjoying the long weekend. The staff required to keep the website operational focus only on functionality and often don’t notice the anomalous, third-party code piggybacked to their ads and third-party content.

What’s the worst that can happen? Your website and/or ads become a flashpoint for a major attack, infecting thousands of your customers or potential customers with harmful malware. Typically, the malware downloads an exploit kit onto a customer’s device and mines for system weaknesses to leverage, like passwords or access to personal bank accounts. Sometimes, the hijacked content redirects valuable customers to a fraudulent site, resulting in lost revenue. In either scenario, your customers experience a negative interaction with your brand.

The reality is that your public-facing ecommerce site, quite possibly the bread and butter of your business, can serve as a prime purveyor of malware to your customers. The only way to prevent such attacks is to monitor all ad tags and website code executing on the browser or app, including your own code and that of third parties, data management platforms, advertising re-targeters, analytic firms and sales platforms. Continuous, 24/7 monitoring ensures the detection and analysis of all unknown or anomalous ads and third-party code served to the site, and real-time detection enables ecommerce operators to quickly remove and then block the suspicious or malicious ad tag or code before any damage to site visitors or brand occurs.

Brand protection, revenue security and site performance–those are the best holiday gifts to give and receive.

 

Eyeota announces partnership with The Media Trust

Bringing world-class protection solutions to online publishers in Asia Pacific and Europe.

Eyeota The Media Trust partnership

SINGAPORE, July 7, 2014 – Eyeota, the world’s largest international audience data marketplace, today announced a partnership with The Media Trust, a global leader in monitoring and protecting the online and mobile advertising ecosystems, to provide world-class transparency, verification and protection tools to Eyeota’s publishers and data providers across the globe.

With a physical presence in 500 global cities located across six continents, The Media Trust’s proprietary website and ad tag scanning technology provides continuous, non-stop protection against malware, web and mobile anomalies, site performance issues and data leakage, which can lead to lost revenue and privacy violations. Both collectively and individually these can and do harm the customer experience, negate a publisher’s ability to monetize its own audience data, lead to possible privacy violations and damage the publisher’s and data provider’s reputation and, ultimately, revenue. More than 400 publishers, ad networks, exchanges, agencies and corporate enterprises from across the online and mobile ad ecosystems use The Media Trust’s suite of continuous, non-stop detecting, inspecting, alerting and verification services to protect their website.

“As audience-based ad targeting is becoming the norm, publishers have realized their data is their number one asset. Publishers are exposed daily to data theft, data skimming and data leakage. Eyeota has partnered with The Media Trust to bring the best protection, transparency and verification tools to publishers across the globe. The Media Trust is the world leader in data and malware protection for publishers. More than 75% of the top publishers in the United States use their solutions to monitor, protect and shield their data.” Said Kevin Tan, CEO, Eyeota.

He added, “Given the inherent complexity of online ad serving, publishers need continuous, 24/7 monitoring of all ad tags and tools running on their sites, as well as real-time alerts on any unauthorized tracking of website visitors. This partnership not only brings a comprehensive suite of services to our publishers, but it also demonstrates the importance Eyeota continues to place on publishers and the job of protecting their online assets. The Media Trust offers best-in-class solutions, and we are very pleased to announce this partnership.”

Chris Olson, chief executive officer and co-founder of The Media Trust said, “Partnering with Eyeota in international markets was a natural decision. Not only is Eyeota the trusted leader in third-party monetization and management solutions for publishers worldwide, but their publisher-centric focus demonstrates they understand publishers’ challenges and needs as well as the value of their data.”

The Media Trust monitoring and protection solutions will be available worldwide on the Eyeota platform beginning immediately.

For more information please contact:

Eyeota: Laura Keeling – lkeeling@eyeota.com, Telephone: +65 9117.3718

The Media Trust: Ellen Donovan – ellen@themediatrust.com, Telephone +1 404.374.7822