Two recent hacking incidents have raised the profile of an attack vector that infose pros and webmasters need to pay more attention to: The insertion of compromised code into a web page from what is supposed to be a trusted third party that allows the siphoning of personal data as its entered on the site by customers.
The most recent example is the hack of British contact lens manufacturer Vision Direct, which admitted Monday that its site was compromised between Nov. 3 and Nov. 8. Hackers were able to sweep up the personal and financial details of some customers ordering lenses or updating their information, including full name, billing address, email address, password, telephone number and payment card information, including the card number, expiry date and the valuable CVV number on the back.
According to one news site, over 16,000 people may have been affected. The cause of the breach was reportedly a fake Google Analytics script — normally used for gathering data on site visitors — that was planted on the website, which scraped customers’ information as it was being entered. In other words this was not a breach of the company’s database.
It isn’t clear how much money the hackers got away with.
The two incidents are examples of why website administrators have to ensure access to sites is tightly controlled, including the use of multi-factor authentication and regularly inspected for the possible addition of bad code if they want to make sure their sites aren’t abused. In addition, CISOs must keep watch for the registration of domains that are similar to their companies.’