Client-side attacks have become significantly more prominent in recent years, gaining popularity since 2015. As online activity rises due to the global pandemic, 2020 has been no exception, with the most susceptible target, e-commerce, becoming more lucrative than ever.
The Client-Side Problem Explained
When interacting with a web application, numerous actions take place in the background. These can generally be divided into two categories, differentiated by where they take place. First is the client-side (i.e actions taking place on the end-user’s device) and the second is the server-side (i.e actions taking place on the web server). In recent years, attackers have found it easier to carry out attacks on the client-side, as these are more difficult for organizations to detect and handle (more on that later).
How does the client-side get compromised in the first place? There are multiple scenarios in which this could happen, such as cross-site scripting, a compromised package, or a compromised S3 bucket, to name just a few.
Where There is Personal Information - There is Gain
The Effects of the Pandemic on Online Shopping
According to Imperva Research Labs, just shortly after the orders to stay at home were given, there was a 28% increase in online retail traffic. Data from the United Nations Conference on Trade and Development (UNCTAD) reveals a similar picture. As they stated, the pandemic has accelerated the shift towards a more digital world and triggered changes in online shopping behaviors that are likely to have lasting effects. The biggest gainers are electronics, gardening/do-it-yourself, pharmaceuticals, education, furniture/household products and cosmetics/personal care categories1. This trend is predicted to grow in 2021. And with many businesses forced to change the way they conduct their sales, the risk of fraud is growing exponentially.
A Real World Problem With Significant Ramifications
A recent example of such fraud is a multi-platform card skimmer that was discovered in some major e-commerce platforms2. The skimmer was able to “take over” the checkout process by injecting a malicious duped checkout form that was accurately masquerading as the legitimate form. This goes to show the level of sophistication involved with these recent attacks, able to abuse even the biggest hosted e-commerce platforms.
This matters to organizations for more than just the fierce blow to their reputation. The fact that the client-side could be abused by hackers to obtain PII (Personally Identifiable Information) is as severe a data breach as stealing data directly from the server. This raises concerns of non-compliance with PCI, GDPR, CCPA and others. Just recently, significant fines have been issued in the airline industry, amounting to millions of dollars for non-compliance with GDPR.
A Challenging Threat for Security Teams
Managing the risks of client-side attacks like Magecart can prove a difficult challenge. The many third-party services found on websites today are executing on the client-side, which makes them a blind-spot for the security organization. A key part in the strategy for security teams is to keep inventory of all the third-party services used in their applications, but this isn’t easy, as the security team usually doesn’t take part in the development cycle. Another option is to make use of HTTP Content-Security-Policy headers, although these are extremely difficult to implement and maintain across the organization.
Imperva’s Client-Side Protection Is Easy To Setup And Understand
Client-Side Protection makes it easier for security teams to gain visibility into all of their application’s third-party components, enabling them to protect their customers’ most sensitive data from fraud. It achieves this by:
- Revealing data transfers from your application to any third-party
- Simplifying actions: allow approved domains and block unapproved ones
Client-Side Protection is available as a part of Imperva’s Cloud Web Application and API Protection (WAAP) solutions.
The Imperva Application Security self-service trial includes the market-leading cloud web application firewall (WAF), DDoS protection, client-side protection, account takeover detection and attack analytics. Out-of-the-box, you will know if your organization is under attack and an onboarding wizard enables ease of deployment with guided steps to customize rules and more. Try it today.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.