CSO Blog: Web-based Malware Not up to Code

Article first published to CSO Blog via IDG Contributor network on November 20, 2017

Cyber security concept shieldRead article

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance.

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC

Continue reading

 

MarTech Today: Companies are afraid of everyone’s website but their own

iStock_000001511231_Small

Article appeared in MarTech Today, Nov. 16, 2017

Read article

The Media Trust CEO: Most of what happens on your web site is not controlled by you

And this third-party code, says Chris Olson, results in dozens of cookies for each user, security vulnerabilities and performance hits.

 

PODCAST: How do we fix the internet?

Check out Charles Tendell’s interview of Chris Olson, CEO of The Media Trust, about the challenges of website security and the risk contributed by third-party code.

Listen here.

The world is a digital economy; however, there is a general lack of awareness for how to secure the highly-dynamic digital environment which requires a continuous security approach. The onus is on mobile app developers & website operators to ensure their assets are safe. The key to managing risk requires:

  • Knowing your digital vendors/partners
  • Identifying & authorizing their activity
  • Communicating your policy & establishing responsibility
  • Evaluating vendor compliance with your policy

 

This podcast was recorded on October 24, 2017

Parked Domains, pantry moths, and you

Authored by Patrick Ciavolella, Head, Malware Desk and Analytics, The Media Trust

Enterprise digital ecosystems are ripe for compromise via long-forgotten domains.

Parked domains have little security

In a span of just 30 days, Equifax morphed from a reputable credit bureau to the latest victim of cybercrime. Sadly, Equifax is just one in a slew of recent website compromises. In fact, the past 12 months bore witness to the malicious use of consumer-facing websites belonging to embassies, national banks, popular brands, premium digital publications, and government organizations. Comparing these incidents with The Media Trust’s historic malware attack data reveals an uncanny commonality – parked domains.

Parked domains are pests

Pantry moths are like parked domainsYes, parked domains are a security problem. Let’s take the real-world example of pantry moths as an analogy. Imagine hoarding supplies in your kitchen pantry due to forecasts like historical storms, end of the world, etc. Alas, the event turns out to be not so epic and life moves on unaffected. Except now, you have a cartload of forgotten excess supplies sitting in your pantry, attracting pantry moths, their larvae (gross), and other pests. Translate this to the digital world: companies buy domains for various purposes such as marketing campaigns, testing advertising code, domain squatting prevention, or holding for future use. Unfortunately, life happens; companies do not renew domain ownership, forget to manage them, campaigns end, or the company may go out of business. This leaves these domains ripe for compromise, as it’s the perfect opportunity for a bad actor to either buy a legitimate-looking link or stealthily infect it to load malicious code.

“We detect parked domains in more than 10% of web-based incidents and have recorded a steady increase in parked domains in the consumer internet,” stated Patrick Ciavolella, Head Malware Desk and Analytics, The Media Trust. “Saying parked domains are a cause for concern, is an understatement. Malicious parked domains in a large corporation’s digital ecosystem can not only damage an enterprise’s reputation but can inflict widespread harm on consumers.”

By putting Equifax’s second website compromise under the scanner, we can better understand how parked domains are exploited by bad actors. 

Equifax Case File

The user experience: When users visited certain credit reporting service page(s) on Equifax’s website, they were automatically redirected to a malicious domain or page. This landing page falsely alerted users to an outdated program (Adobe Flash) and prompted a download of an update, which when clicked, would eventually deliver a malicious exploit kit to user devices. Sounds like a typical and simple website-level malware attack, but what happened behind the screens points to an interesting revelation about parked domains.
Parked domains are dangerous

Behind the screens: After entering the credit report discounts assistance page, there were at least five rapid auto-redirects (no user interaction required) that delivered users to the malicious domain (Centerbluray.info), which hosted the Fake Flash Update alert. This fake online asset appeared legitimate and even used Adobe’s logo to trick users. Once the user clicked on this fake prompt, malicious toolbars or exploit kits were delivered to the devices.

Culprit: Centerbluray.info was the domain hosting malicious code, but the multiple redirect links that navigated to this malicious page were all parked domains. “Our Malware Desk blacklisted Centerbluray.info well before the Equifax incident and detected it in at least six different web-based malware incidents. In every case, parked domains were used to navigate to the final malicious domain,” added Patrick.

Parked Domains FAQs:
Parked Domains FAQs

  1. Wait, so a parked domain via a third-party vendor running code on my website can affect my website?
    Yes. Today’s websites and mobile apps are inundated with unmonitored third-party vendors that contribute code (content management systems, video hosting, data management platforms, marketing analytics, social media widgets, and more) to the rendering of digital content. Often, these third-parties will bring fourth and fifth party code into the mix, increasing the probability of a parked domain’s presence in your enterprise digital ecosystem.
  2. Can my own parked domain be compromised?
    Yes. The Karmic forces of the internet are strong. Without caution and care, your own parked domains are vulnerable to compromise. Let’s not forget that parked domains are still affiliated with your digital assets. Now would be a good time to ask your teams—marketing, sales, product, operations—about all the domains your company has ever purchased.
  3. Can my current website security solution detect these parked domains?
    Sigh, if only! For the most part, website appsec only monitors owned and operated code, which is an increasingly small part of today’s website and mobile app code. Also, most website security solutions do not comprehensively monitor outside the firewall, which is exactly where your users are! Without real-time monitoring of executing code, you would not know if your website has been compromised unless users complain or, even worse, you read about it in the paper.
  4. So what can I do?
    Based on the incidents detected in the broader digital ecosystem and managed by The Media Trust, here’s what Patrick recommends:
    “When it comes to your own domains, renew them or cancel the ones that are not in use; please cancel through the appropriate channels. Once canceled, the domain code needs to be completely removed from your website and mobile app codebase. Where it makes sense, sign up for an auto-renewing domain. Remember, when it comes to third-party parked domains, the only way to detect and manage them is through continuous, real-time monitoring of code rendering on user devices.
  5. Ok, since you brought up pantry moths – how does one get rid of those annoying pests?
    Ah! Clean out your pantry. Get rid of the old dry supplies as they are probably infested by moths and larvae (gross). When you eventually do buy fresh supplies, freeze it first before transferring to storage containers and use the supplies as quickly as you can.

 

INFOGRAPHIC: Data Protection and Privacy Regulations

Your customer’s digital experience is powered by a range of third-party services not controlled by enterprise IT–ad blocker, advertising, analytics, content recommendation, data management, payments, social widgets, video players, and so much more. Increasingly, these services are proving to be a source of regulatory violations.

Download: Data Protection Infographic

TMT-DataPrivacy-FULL-Info

GDPR: The Pandora’s Box is Open for Enterprise Websites

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Website Magazine in September 2017

GDPR Pandora's Box
Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties. 

Digital vendors and the GDPR

The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.

True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.

Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.

What goes online stays online

One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!

Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.

Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.

Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?

Limiting the risks

The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:

1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?

Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.

Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.

When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.

Digital Vendor Risk Management – The Next Compliance Frontier

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Law360 in September 2017

Compliance Rules Law Regulation Policy Business Technology concept

In 2013, Target, a popular US-based retailer suffered a massive data breach as a result of a compromised contractor. That incident, and countless others like it, changed the way organizations—and regulators—view data security, third-party business relationships, and risk management.

Unfortunately, heightened awareness of third-party risk and the urgency of identifying third-party activity has not fully extended to the consumer-facing digital assets—websites, mobile applications, social media—that form the backbone of modern business-to-consumer communications. As demonstrated by Equifax’s recent website breach[i], internet-rendered risks need to be taken more seriously. Enterprises that fail to see how their digital assets act as conduits for nefarious actors and for unauthorized data collection and data sharing, could result in dire consequences in the form of regulatory fines, security incidents and brand damage. Besides lost fees, law firms and legal consultants are doing a disservice by not providing a more comprehensive guidance to their clients.

Dynamic digital ecosystem

Internet-related technology has changed dramatically in a short time span. To put things into perspective, 20 years ago websites contained static code, mostly owned and operated by the enterprise. Fast forward to today and the polar opposite: a majority of code that executes on websites (between 50-75%) come from third-party service providers.

Third-party vendors provide the interactive and engaging functionality that people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, third parties are also the source of numerous backend services that optimize the digital business-to-consumer interaction—content delivery network, marketing management platforms, consumer data tracking, data analytics, and more.

Yes, third parties are critical to the business-to-consumer digital experience, but they also present critical challenges to the enterprise. Many enterprises do not closely monitor the scope and nature of the data collection and sharing activities occurring on their digital assets. Because third-party vendors typically operate outside the purview of today’s IT and security infrastructure, enterprises often have minimal insight into or control over the actual website code execution and data collection activities on its digital assets, including activities that directly impact a customer’s browser.

Many of today’s website security solutions and consent management tools are insufficient to monitor this third-party code and data collection activities. As a result, digital assets can easily be compromised without an enterprise’s knowledge and become a conduit for malware propagation, data leakage, and unauthorized tracking and data collection. Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance; and, this reality should be a major boardroom or C-level topic.

Enterprises need digital asset compliance strategies for various domestic and international privacy and security regulations such as COPPA, HIPAA, FERPA and GDPR, among others, as well as industry standards such as PCI DSS and voluntary self-regulatory practices. The ability to demonstrate compliance reduces the risk of penalties, hefty fines and ensuing reputational harm, not to mention black swan events as experienced by Target and Equifax.

Digital risks require a digital management approach

Effectively identifying, defining and mitigating digital asset risk, while challenging, is consistent with the principles of Vendor Risk Management (VRM; sometimes also called “vendor management”). VRM is the widely adopted practice of building an extensive organization-wide plan to identify and decrease the potential business uncertainties and legal liabilities associated with third-party vendors, especially in relation to information technology (IT) products and services. Today’s digital environment requires VRM strategies, but with a twist to adapt to its ever-changing nature and the fact that most digital asset activities are not traditionally associated with privacy, data security, and compliance.

Enter digital or online vendor risk management. This process extends the third-party risk management processes of VRM to the various vendors who are active in an enterprise’s digital ecosystem. Effective application calls for collaboration among security, risk and compliance professionals to ensure continuous monitoring of consumer-facing digital assets—websites, mobile apps and social media—to identify, analyze and govern third-party digital vendor risks.

Mapping the uncertainty and potential threats that third-party activities on digital assets pose is not straightforward. Due to the size, complexity and variability of the opaque enterprise-digital vendor relationship, digital asset management requires a specific policy. First, however, enterprises need to evaluate risks in two critical areas:

  1. Security: An enterprise’s digital assets are directly affected if a third- (or even a fourth- or fifth-) party vendor’s code is compromised to deliver malware to consumers, redirect consumers or create a vulnerability that can be exploited to breach the enterprise network. As the primary vector for the incident, the enterprise is responsible for protecting not only its digital assets and network but also its customers, employees, and third parties who use those digital assets.
  2. Data Regulations: Organizations are also responsible for preventing undisclosed or unauthorized data collection and data sharing activities on their digital assets, even if the conduct results from the activities of a third-, fourth-, or fifth-party digital vendor and the enterprise is not aware of those activities.

For example, if a digital vendor contributing code to an enterprise website collects information about or tracks online activities of children (under 13 years of age in the U.S., or presumptively under 16 years of age in the E.U.) the enterprise may have violated COPPA and/or GDPR.  The enterprise bears a significant portion of liability because the activity took place as a result of a digital vendor authorized to execute code or engage in other activities on their digital asset and they did not monitor those activities or otherwise manage vendor risk.; Failing to explicitly detail, monitor, and enforce authorized digital asset activities and prohibit unauthorized ones could have significant legal, operational, and trust implications for the enterprise.

Evaluating these two critical areas highlights both the types and levels of risk posed by failing to manage third-party digital vendors. Furthermore, the answers point to the need for developing a specialized digital asset policy(ies), which should be shared with digital service partners and providers to make sure that they, too, are aware of their compliance obligations and for the risks associated with non-compliance. This policy should address regulations (national and international), industry best practices and company-specific data policies.

Rein in risk exposure for websites and mobile apps

The digital ecosystem is riddled with security and compliance hazards, and U.S. and international regulators are increasingly aware of the risks posed by third-party digital vendors and the absence of enterprise awareness. Emerging regulatory frameworks, including GDPR, place an increased emphasis on vendor management and thus provide a rare opportunity for legal and compliance consultants to educate their clients about the hidden vulnerabilities in their digital assets and the importance of risk mitigation. Now, more than ever, IT, security, risk and compliance departments must collaborate to effectively govern their digital assets.

At a high level, the process for controlling digital asset risk involves three steps:

  1. Discover and classify: Identify all digital vendors and analyze all digital vendor code executing on websites, mobile apps and social media platforms.
  2. Communicate and comply: Once the digital vendors have been identified, share your digital asset management policy with them, set parameters to measure their compliance with relevant policy directives, and establish contracts delineating authorized activity. Pay particular attention to real-time cookie drops, pixel fires, other data tracking elements that identify users and/or their devices, and data collection and sharing activities.
  3. Monitor, resolve and report: When monitoring discloses an unauthorized digital asset activity, the enterprise should block the code and remediate the unauthorized activity with the offending vendor. Create an audit trail by documenting the entire cycle and vendor ability (and willingness) to abide by stated policies.

If digital or online vendor risk management seems like a lot of work, or an unnecessary extension of existing compliance practices, then security, privacy, risk, legal and compliance professionals should ask themselves: “Would we allow a stranger to enter our office building and carry out unauthorized activities such as taking our customer information, sending our customers to our competitors, or violating our policies and procedures?” No, you wouldn’t. Therefore, it only makes sense to exercise the same caution for your digital assets.

[i] http://www.prnewswire.com/news-releases/equifax-announces-cybersecurity-incident-involving-consumer-information-300515960.html

5 Reasons to Focus on Malware Delivery Mechanisms

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Originally published by Security Magazine

Malware Delivery Mechanism

Defending against today’s pervasive web-based malware is not as straightforward and simple as it used to be. According to Symantec’s Monthly Threat report, the number of web attacks almost doubled in April of this year alone, up from 584,000 per day to 1,038,000 per day. Bad actors – seasoned cyber criminals, hacktivists, insiders, script kiddies and more – target premium, frequently whitelisted websites with varied motives such as financial, espionage and sabotage, to name a few. These web-based attacks are more targeted, complex and hard to detect, and when an employee visits an infected website, the damage to an enterprise network can be debilitating. Traditional security defenses like blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls fail to offer comprehensive protection. An alternative security approach is necessary, especially when working with malware data.

Managing malware data needs a paradigm shift

Currently, Information Security Professionals (InfoSec) and IT teams are trained to focus on the context of the web-based malware: What the payload might be; Is it replicating or morphing; Where’s the payload analysis; Who is targeting the website and why; along with a host of other variables. These are definitely valid questions, but should only be asked after action is taken to block it – not in order to take action.

Using existing analysis tactics to assess the ever-increasing volume of malware information is a Sisyphean task in the digital environment. The time it takes to agree that something is malicious is in direct proportion to your network’s exposure to web-based malware.

It’s time for InfoSec and IT teams to take a new, proactive approach to shielding customers and Internet real estate from web-based malware. It starts with adopting this simpler definition of malware: “Any code, program or application that behaves abnormally or that has an unwarranted presence on a device, network or digital asset.”

In essence, any code or behavior not germane to the intended execution of a web-based asset is considered malware. While this definition covers the obvious overt offenders it also includes seemingly non-malicious items including toolbars, redirects, bot drops, etc. Adopting a simple, yet broad definition enables you to focus on shielding your enterprise network from a wide range of active and potential malware attacks.

Understanding the digital environment is critical to breaking the analysis paralysis cycle and replacing it with a “block and tackle” approach. To do so, IT professionals need to focus on what matters: identifying the delivery mechanism in order to stop malware from penetrating the enterprise network. Here are five reasons why you should focus on the delivery mechanism:

Reason 1: Temporal malware is still dangerous

Web-based malware or malware delivered via the consumer internet (websites a typical person visits in the course of their daily activities, such as news, weather, travel, social and ecommerce sites) is fleeting and temporal. Research from The Media Trust reveals that in many scenarios web-based malware is active for as short as a few hours, giving little time for a deep dive analysis before blocking offending domains. If you spend time on analysis, you are a target for compromise because if the malware doesn’t infect your organization at the outset, it will most likely morph into another malicious domain or code to retarget the website with something more debilitating such as ransomware or keystroke logging.

Reason 2: Non-overt malware will turn on you eventually

Malware does not necessarily need to be complex or overtly malicious right from the start or upon initial detection. Annoying or seemingly innocuous behavior such as out-of-browser redirects, excessive cookie use, non-human clicks/actions or toolbar drops qualify as malware. While these behaviors may initially appear benign, they will frequently reveal their true intention upon a closer look at both Indicators of Threat (IOC) and Patterns of Attack (POA).

It happens quite often and reports suggest that every year researchers track 500+ malware evasion tactics used to bypass detection. For instance, a recent attack on several small and medium-tier ecommerce websites demonstrates malicious domains executing over varying time intervals and, in at least one instance, move from website to website across various geographies in order to avoid detection. In other instances, malware is specifically coded to look benign and only execute when certain conditions are met, e.g., geography, device, user profile or combinations of conditions. Taking weeks or months, this delayed execution is an effective technique to evade detection by most scanners. An auto-refresh ad on the browser or an alert to update software could be a red flag.

Reason 3: What’s in a name? 

While names are understandably necessary to tag malware, there is a tendency to initially fixate on labels rather than block the malware itself. For professionals in the frontlines of trying to stop web-based malware from infecting the enterprise network, focusing on the name can increase the dwell time and do more harm than good. Instead compromised domains will give teams better insight and allow them to block the malware from penetrating networks.

Reason 4: Past malware doesn’t predict future attacks

Just because malware is validated with a name or belongs to a recognized family; it does not always mean that information to defend against future attacks is necessarily reliable. The polymorphic nature of web-based malware allows it to propagate via different domains in various shapes and forms – embed malicious code on a web page through a particular CMS platform, execute an out-of-browser redirect, or present a fake system update alert. Not only is the delivery channel constantly changing, but also the actual intent and payload may change as well. Relying on past research is not a foolproof defense when it comes to ever-changing malware propagating in the digital ecosystem, which is a complex, mostly opaque environment.

Reason 5: Death by analysis

Extensive analysis of web-based malware before blocking it could have severe repercussions – either by way of a corrupted endpoint or a larger network breach. Once web-based malware reach endpoints, it is already past the security perimeter which means remediation efforts are necessary. According to reports, the average cost for an enterprise to clean up a web-based attack is estimated to be $96,000 and more.  Think of how many resources – people, time, money – could be saved if malware was immediately blocked upon detection.

By focusing on the delivery mechanism, security professionals can take a proactive stance to harden website defenses against web-based malware and also significantly reduce the time to action when it comes to securing endpoints and the enterprise networks. Real-time response is required or it provides the perfect window of opportunity for an attack to be successful.

GDPR Compliance Risks on Websites

Authored by Matt O’Neill, General Manager, Europe, The Media Trust. 

The way the cookie crumbles

Website-compliance-risks

Today’s websites and apps (your corporate website included) are powered by sophisticated technology. After all, in order support consumer expectations—content consumption, search, social networking, shopping carts, travel booking, banking, news, gaming and so much more—websites incorporate robust solutions on the backend.

These solutions aren’t news to most InfoSec professionals, but it is where security problems start. Think about it. Almost 80% of a typical website’s functionality is outsourced to vendors providing specialized services such as data management platforms, marketing analytics, customer identification, image or video hosting, payment processing, content delivery and more. This third-party code operates outside the purview of your IT and security infrastructure, which means that you control less than 25% of the code executing on your website. As the website operator, you have no insight into when this code is compromised to act as a conduit for malware propagation and unauthorized audience data collection. Considering the current regulatory environment around data compliance, the above statistics should make you nervous.

Cookie crumbs

To put it bluntly: You can’t control what you don’t see, and the third-party code enabled functionalities on your digital properties are compromised more often than you think. Also, you have more third-party code than you realize.

As the security provider of choice for the world’s largest digital properties, The Media Trust scans websites for security and policy violations and actively manages more than 500 incidents at any one time. Some of the simplest websites average 10 third-party vendors, but most have dozens. The vendors continuously change and so do their actions.

The Media Trust’s website security and scanning team often detects persistent or unauthorized cookies with a lifespan of 30 years or more; one brand name ecommerce website recently dropped a 7,000+ year cookie. This is a huge issue with the EU’s General Data Protection Regulation (GDPR) which goes into effect in less than a year. Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity, including the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.

If you are wondering how GDPR affects your business, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU resident, therefore every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And, the global nature of the internet means any business with EU website traffic or app users needs to comply as well.

Clearly, enterprises should make some changes to digital operations in order to reduce exposure to GDPR violations. At a minimum, you need to do the following for all your digital properties—websites (desktop and mobile) and mobile apps included:

1. Communicate privacy policy

  • Write a clear privacy policy that explains use of third-party code and outlines any data collection activity
  • Place banner on homepage
  • Deliver Internal training

2. Provide easy-to-use opt in/ opt out mechanism

  • Explain need for tracking and how cookies are used to drive digital operations
  • Share links to individual privacy policies of all in-scope vendors on your site
  • Allow individuals to explicitly agree and/or refuse tracking

3. Understand how website/app-generated data is acquired, used & stored

  • Identify data: Registration, Cookies, IP addresses, device IDs
  • Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
  • Evaluate need for a specific policy regarding data collection of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)

4. Support data portability

5. Incorporate website intrusion in data breach reporting

While the GDPR mandate for websites has been clearly laid out, meeting it is easier said than done! With the fines for noncompliance enumerated in the regulation (between 4% of global revenues or €20 Million), InfoSec is under pressure from internal risk and compliance professionals to ensure all data elements are documented, assessed and controlled.   

Ignorance is real. So is anarchy.

With such a tall order, it is disturbing that so many InfoSec professionals overlook the perils of third-party vendor code going unchecked. Companies desperately need to incorporate digital vendors into their vendor risk management program. Most website/app operators are in the dark about how many direct and indirect vendors contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors.

Digital vendor risk management will highlight the security and compliance gaps inherent in the digital environment. For example, there really isn’t a clear chain of command when it comes to authorizing the presence of third-party vendors executing on a website. It is a fairly decentralized process, with departments like marketing, sales, IT, risk and legal all making decisions regarding the vendors they would like to use for various website functionalities. This makes creating accountability challenging, with most issues relegated to the IT and security departments to solve.

Putting the “Digital” in Vendor Risk Management

Yes, the odds are stacked against website operators, but creating a holistic digital vendor risk management program isn’t impossible. To create a risk management and GDPR compliance program for your digital properties, you should be able to answer the following:

Within 2 weeks:

  1. How many third-party vendors execute in websites and mobile apps
  2. What are the names of these vendors?
  3. What exactly are they doing, i.e., intended purpose and also additional, out-of-scope activity?

Within 1 month:

4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website/app performance?
6. What are the risks to data privacy?
7. What is my exposure to regulatory risk via vendor behavior?

Within 3 months:

8. Am I maintaining encryption throughout the call chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. If the corporate website isn’t fully secure, what happens when employees visit the site? Is the enterprise network at risk?

Once you’ve been able to answer the above questions, within a year’s time, you should be able to create comprehensive digital vendor governance process that looks like this:

GDPR Complian Blog Post Image

Ecommerce: Payment card stealing malware

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.