Guess what? Corporate websites are out of your control

Recognizing how websites and mobile apps have transformed business models

Marriott. Toys R Us. Darden Restaurants. Wal-Mart. Kraft. Neiman Marcus. Dell. What do these diverse companies have in common? They are all digital publishers.

As highlighted in a recent article, Dell spends millions of dollars each year developing content for their public-facing website. From placing advertisements to writing stories about women in technology to creating informative videos, Dell recognizes the power of digital content as an important part of the sales process. And their public-facing website serves as the primary communication channel to their most valuable asset—the customer. Dell isn’t alone.

Once relegated to traditional media companies, the concept of a digital publisher has morphed to encapsulate any organization that uses digital channels to promote their business—either directly with coupons, product reviews and ecommerce capabilities or indirectly via promotional videos, polls and recipes. In effect, any firm with a digital property—website or mobile app—should consider themselves a digital publisher.

Digital content is outside your control

Digital content and the channels through which it is acquired and delivered requires a new approach to security.

High-quality, informative websites and mobile apps attract visitors, and this attention draws evildoers. Looking to capitalize on your hard-won customers and website traffic, these bad actors mine for poor web code to exploit. They redirect visitors outside your page, launch malware downloads, and steal valuable visitor data, to name a few actions that no reputable business wants. In fact, online and mobile channels are the primary vectors for malware, with 85% of all malware distributed via the web.

Securing public-facing digital properties should be easy, right? The challenge is that most of the code delivering the interactive and engaging user experience that renders on the site visitor’s browser is from a third party and therefore outside your control. As a matter of fact, third-party code makes up more than 78% of the code found on Fortune 1000 websites. Think about it. Almost every corporate website uses video, blog, talent acquisition and social media tools in addition to the standard backend data analytics and marketing platforms. Though incorporated into your website design, these third-party providers execute outside your website’s technical operation thereby minimizing your ability to control their security or activity. And they are often compromised. (Read more about third-party code providers.)

Responsibility of Securing public-facing digital properties

Viewed from a digital publisher lens, strategic business growth depends on delivering a top-notch user experience to website visitors and mobile apps users—customers and employees. Securing these digital properties means closely monitoring third-party activities to ensure they are not dropping malware, collecting unauthorized user data or negatively impacting site performance.

With digital publishing comes responsibility. Embrace it.

What’s on your website? And what’s it doing there?

Recognizing the risks of third-party code on brand and ecommerce websites.

That’s a simple question, right? You’d think that IT, infosec and ecommerce/digital operations would know—that they would want to know—which third-party domains execute code on their company’s website. The reality is they don’t know, exposing their site and their site’s visitors to the constant threat of cyber attacks in the form of malware drops or domain redirects.

Today, most organizations recognize that online and mobile ads serve as major conduits for malware, but they remain ignorant to the risks associated with third-party code executed on their website. They fail to understand the value of knowing how many third-party vendors and domains access their site each day, week or month. Failure to track third-party code activity or the length of time the domain remains on a site opens the door to malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations.

And don’t forget that many of these vendors may require a fourth-party to enable their functionality, which means the average website can have hundreds of domains accessing the site at any one time. In fact, the preponderance of source code executing on Fortune 1,000 websites is third-party code—just think of the latency challenges!

That figure sounds high until you take into account the third-party services required to render a single URL: blogging, video, data analytics, comments, chat, product reviews, marketing automation, etc. These various services provide for a more interactive and engaging website, as well as enable the site to be optimally monetized.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

Purveyors of malware attack for two primary reasons: simple profit or publicity, with the Sony Pictures Entertainment breach being the most recent high-profile example. Due to the heavy reliance on marketing analytics, plug-ins and third-party content, brand and ecommerce sites are prime targets for a large-scale attack orchestrated through an unknowing accomplice: a third-party executing code on an ecommerce site. And it won’t be for harmless fun. These cyber criminals leverage corporate websites to drop malware on site visitors, which typically includes employees, that mines for system vulnerabilities, syphon valuable customer data or redirect consumers to alternative and possibly competitive sites.

When this happens, what will you do? Instinct is to shut down the entire property until you can locate the malicious code—a process that can take hours of searching. This is an expensive solution, because not only do you spend resources pinpointing the problem but you also won’t be able to deliver promised ads or process customer transactions, and your brand will be forever tarnished.

The best defense is continuous monitoring of third-party vendors to catch the moment they are compromised and before significant harm is unleashed. Through constant scanning of these website partners you will know the instant an anomalous activity is detected, whether it be suspicious code or a domain redirect.

Think about it the next time you visit your company’s website to read product reviews, catch up on the latest blog post, chat with the help desk or watch an entertaining video. Do you really know which vendors enable these activities? Have you authorized their presence and activity? Once you have a handle on this information, securing your business’s online presence becomes easier.

 

Ecommerce: Are you ready for the 2014 holidays?

It’s the most wonderful time of the year…for ecommerce.

For many, the cooler temperatures and shorter days signal the start of holiday shopping, and the 2014 holiday season is expected to witness a 15.5% increase in ecommerce sales. Mobile transactions will constitute a third of that number generated, with the average consumer spending $248 online. For others, the increased volume of online shopping serves as a tempting target for web-based attacks in the form of malware, and consumers are the innocent participants.

Malware attacks skyrocket during the holiday season. This makes sense when you consider that more than 25% of total U.S. annual online sales are expected to occur in November and December.With more than $6.5 billion in ecommerce sales expected this year, you can bet the online ecosystem will be targeted.

Much like retailers stock the shelves, ecommerce sites load up with images, product descriptions and advertisements promoting this season’s must-have items and offering discounts in preparation to cash in on the uptick in website visitors. However, this super-sized volume also attracts those looking to make a quick buck by taking advantage of your customers and their online shopping activities. They hijack your ads or third-party content to deliver nefarious code that auto installs on your site visitor’s device. Often, due to fraudsters’ ever-increasing sophistication, these ads or images don’t even require user action. The process of simply serving the impression of an infected ad, image or product review can set the malware wheels in motion.

The Media Trust has had a front-row seat to these activities for the past few years, witnessing the doubling and sometimes tripling of attacks via web-based advertisements or “malvertising” from November through January. The attacks typically kick into high gear on the Wednesday before the U.S. Thanksgiving holiday, a time when many employees charged with supporting and maintaining your website are at home enjoying the long weekend. The staff required to keep the website operational focus only on functionality and often don’t notice the anomalous, third-party code piggybacked to their ads and third-party content.

What’s the worst that can happen? Your website and/or ads become a flashpoint for a major attack, infecting thousands of your customers or potential customers with harmful malware. Typically, the malware downloads an exploit kit onto a customer’s device and mines for system weaknesses to leverage, like passwords or access to personal bank accounts. Sometimes, the hijacked content redirects valuable customers to a fraudulent site, resulting in lost revenue. In either scenario, your customers experience a negative interaction with your brand.

The reality is that your public-facing ecommerce site, quite possibly the bread and butter of your business, can serve as a prime purveyor of malware to your customers. The only way to prevent such attacks is to monitor all ad tags and website code executing on the browser or app, including your own code and that of third parties, data management platforms, advertising re-targeters, analytic firms and sales platforms. Continuous, 24/7 monitoring ensures the detection and analysis of all unknown or anomalous ads and third-party code served to the site, and real-time detection enables ecommerce operators to quickly remove and then block the suspicious or malicious ad tag or code before any damage to site visitors or brand occurs.

Brand protection, revenue security and site performance–those are the best holiday gifts to give and receive.