What’s on your website? And what’s it doing there?

Recognizing the risks of third-party code on brand and ecommerce websites.

That’s a simple question, right? You’d think that IT, infosec and ecommerce/digital operations would know—that they would want to know—which third-party domains execute code on their company’s website. The reality is they don’t know, exposing their site and their site’s visitors to the constant threat of cyber attacks in the form of malware drops or domain redirects.

Today, most organizations recognize that online and mobile ads serve as major conduits for malware, but they remain ignorant to the risks associated with third-party code executed on their website. They fail to understand the value of knowing how many third-party vendors and domains access their site each day, week or month. Failure to track third-party code activity or the length of time the domain remains on a site opens the door to malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations.

And don’t forget that many of these vendors may require a fourth-party to enable their functionality, which means the average website can have hundreds of domains accessing the site at any one time. In fact, the preponderance of source code executing on Fortune 1,000 websites is third-party code—just think of the latency challenges!

That figure sounds high until you take into account the third-party services required to render a single URL: blogging, video, data analytics, comments, chat, product reviews, marketing automation, etc. These various services provide for a more interactive and engaging website, as well as enable the site to be optimally monetized.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

Purveyors of malware attack for two primary reasons: simple profit or publicity, with the Sony Pictures Entertainment breach being the most recent high-profile example. Due to the heavy reliance on marketing analytics, plug-ins and third-party content, brand and ecommerce sites are prime targets for a large-scale attack orchestrated through an unknowing accomplice: a third-party executing code on an ecommerce site. And it won’t be for harmless fun. These cyber criminals leverage corporate websites to drop malware on site visitors, which typically includes employees, that mines for system vulnerabilities, syphon valuable customer data or redirect consumers to alternative and possibly competitive sites.

When this happens, what will you do? Instinct is to shut down the entire property until you can locate the malicious code—a process that can take hours of searching. This is an expensive solution, because not only do you spend resources pinpointing the problem but you also won’t be able to deliver promised ads or process customer transactions, and your brand will be forever tarnished.

The best defense is continuous monitoring of third-party vendors to catch the moment they are compromised and before significant harm is unleashed. Through constant scanning of these website partners you will know the instant an anomalous activity is detected, whether it be suspicious code or a domain redirect.

Think about it the next time you visit your company’s website to read product reviews, catch up on the latest blog post, chat with the help desk or watch an entertaining video. Do you really know which vendors enable these activities? Have you authorized their presence and activity? Once you have a handle on this information, securing your business’s online presence becomes easier.

 

SEA attack is no surprise

Ecommerce website losses estimated in the millions of dollars.

Boom! There it is. As expected, someone took advantage of the holiday season to make a statement, and hacking into media and corporate brand websites is one way to get the world’s attention.

Early yesterday morning at 6:38 a.m. EST, The Media Trust was the first security company to detect a pop-up screen stating the Syrian Electronic Army (SEA) had hacked a website, first in mobile and then online environments. The ongoing, 24/7 scanning of more than 25,000 websites through our Media Scanner services allowed us to quickly detect the hack and prepare our clients for battle.

Upon detection of this pop-up message, The Media Trust’s Malware Team immediately analyzed the code and determined it stemmed from a call made by Gigya, a customer management platform used by more than 700 leading brands. The Malware Team immediately contacted affected clients so they could quickly remove and then block the malicious file, thereby helping clients avoid the time-consuming hassle of tracking down the issue’s source.

This was an indirect attack, because it compromised the DNS server at gigya.com, which is hosted by GoDaddy. The SEA did not gain access to the Gigya servers; instead they redirected Gigya’s Internet traffic to its own servers and then served a file called “socialize.js” which displayed the SEA’s message.

As with their past attacks, the SEA targeted media outlets and focused exclusively on websites and was not related to any ad content. The SEA attack did not distribute malware and was designed as an effective publicity stunt. Yet, what’s to stop them from doing something worse the next time? And, let’s be honest, even without the presence of malware, a message on an ecommerce site stating that it has been hacked, even for a few hours, results in lost transactions – those few hours translate into millions of dollars of unrecoupable revenue.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. As The Media Trust cautioned in last week’s blog post, the holiday season is when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Keep in mind that The Media Trust’s Media Scanner detected this attack before Gigya. Do you want to know about your website being comprised so you can take action before the world knows? Think about it.