CPO: US Federal Websites in Urgent Need of Web Security Upgrade

Article originally published in CPO Magazine on December 8, 2017

CPO Mag - US-federal-websites-2017-1208

Read article

The U.S. Federal Government is a behemoth that touches every aspect of American life – and today the touchpoints for services and information that each U.S. citizen requires to comply with federal rules and regulations are increasingly found on the Internet. However, the latest report on the state of federal websites indicates that they fail on some key indicators regarding web security.

The problem with federal – and many enterprise – websites is that no one individual is in charge of the entire website operation.

Continue reading

 

Parked Domains, pantry moths, and you

Enterprise digital ecosystems are ripe for compromise via long-forgotten domains.

Parked domains have little security

In a span of just 30 days, Equifax morphed from a reputable credit bureau to the latest victim of cybercrime. Sadly, Equifax is just one in a slew of recent website compromises. In fact, the past 12 months bore witness to the malicious use of consumer-facing websites belonging to embassies, national banks, popular brands, premium digital publications, and government organizations. Comparing these incidents with The Media Trust’s historic malware attack data reveals an uncanny commonality – parked domains.

Parked domains are pests

Pantry moths are like parked domainsYes, parked domains are a security problem. Let’s take the real-world example of pantry moths as an analogy. Imagine hoarding supplies in your kitchen pantry due to forecasts like historical storms, end of the world, etc. Alas, the event turns out to be not so epic and life moves on unaffected. Except now, you have a cartload of forgotten excess supplies sitting in your pantry, attracting pantry moths, their larvae (gross), and other pests. Translate this to the digital world: companies buy domains for various purposes such as marketing campaigns, testing advertising code, domain squatting prevention, or holding for future use. Unfortunately, life happens; companies do not renew domain ownership, forget to manage them, campaigns end, or the company may go out of business. This leaves these domains ripe for compromise, as it’s the perfect opportunity for a bad actor to either buy a legitimate-looking link or stealthily infect it to load malicious code.

“We detect parked domains in more than 10% of web-based incidents and have recorded a steady increase in parked domains in the consumer internet,” stated Patrick Ciavolella, Head Malware Desk and Analytics, The Media Trust. “Saying parked domains are a cause for concern, is an understatement. Malicious parked domains in a large corporation’s digital ecosystem can not only damage an enterprise’s reputation but can inflict widespread harm on consumers.”

By putting Equifax’s second website compromise under the scanner, we can better understand how parked domains are exploited by bad actors. 

Equifax Case File

The user experience: When users visited certain credit reporting service page(s) on Equifax’s website, they were automatically redirected to a malicious domain or page. This landing page falsely alerted users to an outdated program (Adobe Flash) and prompted a download of an update, which when clicked, would eventually deliver a malicious exploit kit to user devices. Sounds like a typical and simple website-level malware attack, but what happened behind the screens points to an interesting revelation about parked domains.
Parked domains are dangerous

Behind the screens: After entering the credit report discounts assistance page, there were at least five rapid auto-redirects (no user interaction required) that delivered users to the malicious domain (Centerbluray.info), which hosted the Fake Flash Update alert. This fake online asset appeared legitimate and even used Adobe’s logo to trick users. Once the user clicked on this fake prompt, malicious toolbars or exploit kits were delivered to the devices.

Culprit: Centerbluray.info was the domain hosting malicious code, but the multiple redirect links that navigated to this malicious page were all parked domains. “Our Malware Desk blacklisted Centerbluray.info well before the Equifax incident and detected it in at least six different web-based malware incidents. In every case, parked domains were used to navigate to the final malicious domain,” added Patrick.

Parked Domains FAQs:
Parked Domains FAQs

  1. Wait, so a parked domain via a third-party vendor running code on my website can affect my website?
    Yes. Today’s websites and mobile apps are inundated with unmonitored third-party vendors that contribute code (content management systems, video hosting, data management platforms, marketing analytics, social media widgets, and more) to the rendering of digital content. Often, these third-parties will bring fourth and fifth party code into the mix, increasing the probability of a parked domain’s presence in your enterprise digital ecosystem.
  2. Can my own parked domain be compromised?
    Yes. The Karmic forces of the internet are strong. Without caution and care, your own parked domains are vulnerable to compromise. Let’s not forget that parked domains are still affiliated with your digital assets. Now would be a good time to ask your teams—marketing, sales, product, operations—about all the domains your company has ever purchased.
  3. Can my current website security solution detect these parked domains?
    Sigh, if only! For the most part, website appsec only monitors owned and operated code, which is an increasingly small part of today’s website and mobile app code. Also, most website security solutions do not comprehensively monitor outside the firewall, which is exactly where your users are! Without real-time monitoring of executing code, you would not know if your website has been compromised unless users complain or, even worse, you read about it in the paper.
  4. So what can I do?
    Based on the incidents detected in the broader digital ecosystem and managed by The Media Trust, here’s what Patrick recommends:
    “When it comes to your own domains, renew them or cancel the ones that are not in use; please cancel through the appropriate channels. Once canceled, the domain code needs to be completely removed from your website and mobile app codebase. Where it makes sense, sign up for an auto-renewing domain. Remember, when it comes to third-party parked domains, the only way to detect and manage them is through continuous, real-time monitoring of code rendering on user devices.
  5. Ok, since you brought up pantry moths – how does one get rid of those annoying pests?
    Ah! Clean out your pantry. Get rid of the old dry supplies as they are probably infested by moths and larvae (gross). When you eventually do buy fresh supplies, freeze it first before transferring to storage containers and use the supplies as quickly as you can.

 

Ecommerce: Payment card stealing malware

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.

You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

Content Management Systems: Friend or Foe?

The downside of open source affordability and flexibility

CMS Friend or Foe

More than 7,000 ecommerce sites were shut down this past weekend due to malware infiltrating the open source or community version of Magento, a popular content management system. Unfortunately, this type of revenue-impacting event has become all too common with similar attacks affecting WordPress, Joomla and Drupal within the past 12 months. As thousands of online merchants have just learned, taking advantage of the affordability and flexibility offered by an open-source website vendor requires investment in continuous site security.

Start-up savior

Millions of small and medium-sized merchants rely on open source content management systems (CMS) to support their initial foray into online commerce. These platforms provide a “plug-n-play” infrastructure that pulls together basic design schema, content delivery features and shopping cart capabilities—critical cost-saving tools for a start-up operation. Platform providers make these tools available in the hopes that as the retailer grows it will seek more features and eventually upgrade to a more robust, enterprise version. But, these supposedly “free” tools come with a price.

When free isn’t free

Open source is a great resource; however, it is not supported by the vendor. Open source platforms rely on a passionate community of users to build plug-ins and extensions which extend the capability of the free tool. A major shortfall is that open source lacks the protection users expect—there’s no accountability for the developer community should something go horribly wrong. In fact, the very nature of open source suggests that the “source” is “open” to all who wish to contribute.

Bad actors easily infiltrate these communities and cause considerable harm. From compromising an existing extension to creating a flawed one, bad actors can quickly penetrate thousands of ecommerce operations and execute a host of crimes—mine for credit card data, trigger malware downloads onto shopper browsers, deface the site with inflammatory language or completely disable site operations, to name a few. Whatever the action, the merchant suffers serious damaging consequences from which it may not ever recover.

To protect an ecommerce operation, online merchants need to invest in security measures to ensure the open source environment is safe from compromise. This means a thorough review of all code and vendors used to render the site on consumer browsers—both front-end services, like image library and product recommendation, and back-end services, like CMS and content delivery networks. In effect, open source is not really free, as the money saved from licensing needs to be poured back into IT to secure the site.

Preparing for the worst

Considering that an open source platform can bring an ecommerce site to its knees, online merchants must keep abreast of industry news and take immediate action to locate and fix compromised code. In addition, merchants should also adopt basic security best practices such as:

  1. Regular participation in the open source community to know when issues are detected and how to resolve
  2. Careful screening of plug-ins and extensions before using in your environment
  3. Limited use of un-vetted extensions
  4. Continuously monitoring of the third-party vendors executing on the site

The best way to secure revenue continuity is to constantly monitor the site for anomalies and unexpected vendor behavior. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

For those not planning to upgrade to a licensed, vendor-supported platform, an effective security program will be your best friend. The Media Trust can make the introduction.

 

Ecommerce–What’s happening on your site?

Wayward third-party vendors impact site performance, collect first-party data and expose site visitors to malware

Online shopping is now a primary revenue source for many retailers, and its growth trajectory is forecast to continue its double-digit growth rate. With their high-volume traffic and access to consumers’ credit cards, these sites also serve as revenue sources for hackers and fraudsters, who find retailers’ reliance on third-party vendors especially appealing. They gain access to sites by compromising legitimate third-party vendors.

Pinpointing the third-party vendors

Everyday ecommerce sites are rife with third-party vendors, many of them not clearly visible to site owners. These services provide the interactive and engaging experience consumers have come to expect and also enable the site to be monetized. Unbeknownst to many retailers, the third-party vendors they use to render these critical services—product reviews, content recommendation engines, payment systems, automated marketing services, analytics, content delivery networks, social media tools and more—can unintentionally function as a conduit for a host of unsavory activities including malware drops, first-party data collection, and latency-causing actions.

The challenge is to quickly identify the point of compromise, yet most ecommerce site operators don’t have a clear grasp of the vendors actively executing on their digital properties. The following infographic of a typical ecommerce site provides clues to where vendors can be found.

Ecommerce–What's happening on your site?

[Get your pdf copy at www.TheMedia.Trust]

Check yourself before you wreck yourself

How do you control these vendors and what they do on your site? The ability to effectively manage an ecommerce site requires intricate command of the technology, processes and vendors needed to render pages that not only meet revenue goals, but do so without compromising the user experience. This means the site must be free of malware, performance-sapping vendors and privacy-violating data collection activity.  To protect against third-party code’s inherent risks, ecommerce teams must work with their IT, information security, and legal teams to constantly monitor—in real time—the code executing on their sites. Otherwise, a host of activities can be underway without your knowledge which can negatively impact the user experience, your brand and your revenue stream.

Encryption – Your website isn’t as secure as you think

HTTPS code does not mean a site is encrypted

Encryption is complicated

Today is D-Day for ecommerce and IT professionals, basically anyone with a revenue-generating digital property. June 30 marks the day that Google’s ad networks move to HTTPS and follows previous statements indicating HTTPS compliance as a critical factor in search engine rankings.

From Google’s announcement to the White House directive mandating HTTPS-compliant federal websites by December 2016, encryption has become the topic du jour. And, rumors abound that browsers are getting into the encryption game by flashing alerts when a site loses encryption. Why all the fanfare?

Encryption adds elements of authenticity to website content, privacy for visitor search and browsing history, and security for commercial transactions. HTTPS guarantees the integrity of the connection between two systems—webserver and browser—by eliminating the inconsistent decision-making between the server and browser regarding which content is sensitive. It does not ensure a hacker-proof website and does not guarantee data security.

Over the past year, businesses worked to convert their website code to HTTPS. With Google’s recent announcement, ad-supported sites can sit back and relax knowing their sites are secure, right? Wrong.

To have a truly encrypted site you must ensure ALL connections to your website communicate through HTTPS, including all third-party code executing on your site, not just advertising. This means sites using providers such as content delivery networks, data management platforms, hosting services, analytic tools, product reviews, and video platforms, need to ensure connections—and any connections to fourth or fifth parties—are made via HTTPS. Just one break in any call chain will unencrypt your site. Considering 57% of ecommerce customers would stop a purchase session when alerted to an insecure page, the ongoing push to encrypted sites should not be ignored.

What’s a website operator to do? By its very nature, third-party code resides outside your infrastructure and is not detected during traditional web code scanning, vulnerability assessment, or penetration testing. To ensure your site—and all the vendors serving it—maintains encryption you must scan it from the user’s point of view to see how the third parties behave. Only then can you detect if encryption has been lost along the call chain.