Site icon IT World Canada

Compromised sites a reminder to webmasters to watch for compromised third-party code

Two recent hacking incidents have raised the profile of an attack vector that infose pros and webmasters  need to pay more attention to: The insertion of compromised code into a web page from what is supposed to be a trusted third party that allows the siphoning of personal data as its entered on the site by customers.

The most recent example is the hack of British contact lens manufacturer Vision Direct, which admitted Monday that its site was compromised between Nov. 3 and Nov. 8.  Hackers were able to sweep up the personal and financial details of some customers ordering lenses or updating their information, including full name, billing address, email address, password, telephone number and payment card information, including the card number, expiry date and the valuable CVV number on the back.

According to one news site, over 16,000 people may have been affected. The cause of the breach was reportedly a fake Google Analytics script —  normally used for gathering data on site visitors — that was planted on the website, which scraped customers’ information as it was being entered. In other words this was not a breach of the company’s database.

A similar incident was reported earlier this month by security vendor ESET involving the StatCounter service, used by many webmasters to gather statistics on their visitors. It’s a service used by some 2 million websites that’s very similar to Google Analytics, which involves adding an external JavaScript tag from StatCounter. However, someone managed to compromise that JavaScript and installed it on a cryptocurrency exchange called Gate.io with the goal of stealing bitcoin from depositors.  Part of that scheme involved creating a site called  www.statconuter[.]com where traffic was directed, hoping people wouldn’t notice the mis-spelling.

It isn’t clear how much money the hackers got away with.

The two incidents are examples of why website administrators have to ensure access to sites is tightly controlled, including the use of multi-factor authentication and regularly inspected for the possible addition of bad code if they want to make sure their sites aren’t abused. In addition, CISOs must keep watch for the registration of domains that are similar to their companies.’

Broadly speaking, these are called supply chain attacks. Sometimes, it is easier to compromise a third-party than launch a direct attack, noted ESET researcher Matthieu Faou in an email interview. In this case attackers decided to go after StatCounter, modified a piece of its JavaScript that is loaded in every gate.io page. Then, that JavaScript loaded another JS script responsible for modifying the destination address when a user of gate.io ordered a withdrawal of bitcoin.

Faou noted other typical third-party JavaScript code used by websites that could be abused are scripts from ad networks to display ads on a website, as well as JavaScript libraries, such as jquery, which are hosted on external servers to improve the loading time.

 

Exit mobile version