CSO Blog: Web-based Malware Not up to Code

Article first published to CSO Blog via IDG Contributor network on November 20, 2017

Cyber security concept shieldRead article

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance.

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC

Continue reading

 

PODCAST: How do we fix the internet?

Check out Charles Tendell’s interview of Chris Olson, CEO of The Media Trust, about the challenges of website security and the risk contributed by third-party code.

Listen here.

The world is a digital economy; however, there is a general lack of awareness for how to secure the highly-dynamic digital environment which requires a continuous security approach. The onus is on mobile app developers & website operators to ensure their assets are safe. The key to managing risk requires:

  • Knowing your digital vendors/partners
  • Identifying & authorizing their activity
  • Communicating your policy & establishing responsibility
  • Evaluating vendor compliance with your policy

 

This podcast was recorded on October 24, 2017

Parked Domains, pantry moths, and you

Enterprise digital ecosystems are ripe for compromise via long-forgotten domains.

Parked domains have little security

In a span of just 30 days, Equifax morphed from a reputable credit bureau to the latest victim of cybercrime. Sadly, Equifax is just one in a slew of recent website compromises. In fact, the past 12 months bore witness to the malicious use of consumer-facing websites belonging to embassies, national banks, popular brands, premium digital publications, and government organizations. Comparing these incidents with The Media Trust’s historic malware attack data reveals an uncanny commonality – parked domains.

Parked domains are pests

Pantry moths are like parked domainsYes, parked domains are a security problem. Let’s take the real-world example of pantry moths as an analogy. Imagine hoarding supplies in your kitchen pantry due to forecasts like historical storms, end of the world, etc. Alas, the event turns out to be not so epic and life moves on unaffected. Except now, you have a cartload of forgotten excess supplies sitting in your pantry, attracting pantry moths, their larvae (gross), and other pests. Translate this to the digital world: companies buy domains for various purposes such as marketing campaigns, testing advertising code, domain squatting prevention, or holding for future use. Unfortunately, life happens; companies do not renew domain ownership, forget to manage them, campaigns end, or the company may go out of business. This leaves these domains ripe for compromise, as it’s the perfect opportunity for a bad actor to either buy a legitimate-looking link or stealthily infect it to load malicious code.

“We detect parked domains in more than 10% of web-based incidents and have recorded a steady increase in parked domains in the consumer internet,” stated Patrick Ciavolella, Head Malware Desk and Analytics, The Media Trust. “Saying parked domains are a cause for concern, is an understatement. Malicious parked domains in a large corporation’s digital ecosystem can not only damage an enterprise’s reputation but can inflict widespread harm on consumers.”

By putting Equifax’s second website compromise under the scanner, we can better understand how parked domains are exploited by bad actors. 

Equifax Case File

The user experience: When users visited certain credit reporting service page(s) on Equifax’s website, they were automatically redirected to a malicious domain or page. This landing page falsely alerted users to an outdated program (Adobe Flash) and prompted a download of an update, which when clicked, would eventually deliver a malicious exploit kit to user devices. Sounds like a typical and simple website-level malware attack, but what happened behind the screens points to an interesting revelation about parked domains.
Parked domains are dangerous

Behind the screens: After entering the credit report discounts assistance page, there were at least five rapid auto-redirects (no user interaction required) that delivered users to the malicious domain (Centerbluray.info), which hosted the Fake Flash Update alert. This fake online asset appeared legitimate and even used Adobe’s logo to trick users. Once the user clicked on this fake prompt, malicious toolbars or exploit kits were delivered to the devices.

Culprit: Centerbluray.info was the domain hosting malicious code, but the multiple redirect links that navigated to this malicious page were all parked domains. “Our Malware Desk blacklisted Centerbluray.info well before the Equifax incident and detected it in at least six different web-based malware incidents. In every case, parked domains were used to navigate to the final malicious domain,” added Patrick.

Parked Domains FAQs:
Parked Domains FAQs

  1. Wait, so a parked domain via a third-party vendor running code on my website can affect my website?
    Yes. Today’s websites and mobile apps are inundated with unmonitored third-party vendors that contribute code (content management systems, video hosting, data management platforms, marketing analytics, social media widgets, and more) to the rendering of digital content. Often, these third-parties will bring fourth and fifth party code into the mix, increasing the probability of a parked domain’s presence in your enterprise digital ecosystem.
  2. Can my own parked domain be compromised?
    Yes. The Karmic forces of the internet are strong. Without caution and care, your own parked domains are vulnerable to compromise. Let’s not forget that parked domains are still affiliated with your digital assets. Now would be a good time to ask your teams—marketing, sales, product, operations—about all the domains your company has ever purchased.
  3. Can my current website security solution detect these parked domains?
    Sigh, if only! For the most part, website appsec only monitors owned and operated code, which is an increasingly small part of today’s website and mobile app code. Also, most website security solutions do not comprehensively monitor outside the firewall, which is exactly where your users are! Without real-time monitoring of executing code, you would not know if your website has been compromised unless users complain or, even worse, you read about it in the paper.
  4. So what can I do?
    Based on the incidents detected in the broader digital ecosystem and managed by The Media Trust, here’s what Patrick recommends:
    “When it comes to your own domains, renew them or cancel the ones that are not in use; please cancel through the appropriate channels. Once canceled, the domain code needs to be completely removed from your website and mobile app codebase. Where it makes sense, sign up for an auto-renewing domain. Remember, when it comes to third-party parked domains, the only way to detect and manage them is through continuous, real-time monitoring of code rendering on user devices.
  5. Ok, since you brought up pantry moths – how does one get rid of those annoying pests?
    Ah! Clean out your pantry. Get rid of the old dry supplies as they are probably infested by moths and larvae (gross). When you eventually do buy fresh supplies, freeze it first before transferring to storage containers and use the supplies as quickly as you can.

 

INFOGRAPHIC: Data Protection and Privacy Regulations

Your customer’s digital experience is powered by a range of third-party services not controlled by enterprise IT–ad blocker, advertising, analytics, content recommendation, data management, payments, social widgets, video players, and so much more. Increasingly, these services are proving to be a source of regulatory violations.

Download: Data Protection Infographic

TMT-DataPrivacy-FULL-Info

GDPR: The Pandora’s Box is Open for Enterprise Websites

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Website Magazine in September 2017

GDPR Pandora's Box
Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties. 

Digital vendors and the GDPR

The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.

True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.

Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.

What goes online stays online

One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!

Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.

Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.

Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?

Limiting the risks

The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:

1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?

Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.

Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.

When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.