Compromised sites a reminder to webmasters to watch for compromised third-party code

Two recent hacking incidents have raised the profile of an attack vector that infose pros and webmasters  need to pay more attention to: The insertion of compromised code into a web page from what is supposed to be a trusted third party that allows the siphoning of personal data as its entered on the site by customers.

The most recent example is the hack of British contact lens manufacturer Vision Direct, which admitted Monday that its site was compromised between Nov. 3 and Nov. 8.  Hackers were able to sweep up the personal and financial details of some customers ordering lenses or updating their information, including full name, billing address, email address, password, telephone number and payment card information, including the card number, expiry date and the valuable CVV number on the back.

According to one news site, over 16,000 people may have been affected. The cause of the breach was reportedly a fake Google Analytics script —  normally used for gathering data on site visitors — that was planted on the website, which scraped customers’ information as it was being entered. In other words this was not a breach of the company’s database.

A similar incident was reported earlier this month by security vendor ESET involving the StatCounter service, used by many webmasters to gather statistics on their visitors. It’s a service used by some 2 million websites that’s very similar to Google Analytics, which involves adding an external JavaScript tag from StatCounter. However, someone managed to compromise that JavaScript and installed it on a cryptocurrency exchange called Gate.io with the goal of stealing bitcoin from depositors.  Part of that scheme involved creating a site called  www.statconuter[.]com where traffic was directed, hoping people wouldn’t notice the mis-spelling.

It isn’t clear how much money the hackers got away with.

The two incidents are examples of why website administrators have to ensure access to sites is tightly controlled, including the use of multi-factor authentication and regularly inspected for the possible addition of bad code if they want to make sure their sites aren’t abused. In addition, CISOs must keep watch for the registration of domains that are similar to their companies.’

Broadly speaking, these are called supply chain attacks. Sometimes, it is easier to compromise a third-party than launch a direct attack, noted ESET researcher Matthieu Faou in an email interview. In this case attackers decided to go after StatCounter, modified a piece of its JavaScript that is loaded in every gate.io page. Then, that JavaScript loaded another JS script responsible for modifying the destination address when a user of gate.io ordered a withdrawal of bitcoin.

Faou noted other typical third-party JavaScript code used by websites that could be abused are scripts from ad networks to display ads on a website, as well as JavaScript libraries, such as jquery, which are hosted on external servers to improve the loading time.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now