Virtualization Technology News and Information
Source Defense 2021 Predictions: E-commerce Sites Will Face Mounting Pressure to Thwart Formjacking and Magecart Attacks

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual series exclusive.

E-commerce Sites Will Face Mounting Pressure to Thwart Formjacking and Magecart Attacks

By Hadar Blutrich, CTO & Co-founder of Source Defense

COVID-19 changed our lives in 2020, and we can only expect the outbreak to continue to do so well into 2021. This includes how we shop, and the ways hackers seek to exploit the consumer shifts. In responding to the resulting threats, e-commerce companies will need to take on a much more proactively vigilant posture for the year ahead.

Specifically, we anticipate the following developments in 2021:

1.  Consumers will continue to transition from brick-and-mortar to online shopping.

The first seven months of 2020 saw $434.5 billion in online purchases, with the pandemic driving an extra $94 billion since March, according to the 2020 Digital Economy Index from Adobe Analytics. By October, the pandemic accelerated online shopping to a level not previously expected until 2022, with e-commerce in the U.S. projected to reach $794.50 billion this year, according to eMarketer. This represents a 32.4 percent year-over-year growth rate - notably higher than the 18 percent predicted in eMarketer's Q2 forecast. By 2024, e-commerce will account for 19.2 percent of all retail spending, up from 14.4 percent now. In contrast, brick-and-mortar sales will drop to $4.71 trillion this year, a 3.2 percent decline.

"We've seen e-commerce accelerate in ways that didn't seem possible last spring, given the extent of the economic crisis," said Andrew Lipsman, a principal analyst for eMarketer. "While much of the shift has been led by essential categories like grocery, there has been surprising strength in discretionary categories like consumer electronics and home furnishings that benefited from pandemic-driven lifestyle needs."

2.  Cyber criminals will take advantage of the online shopping boom by launching more formjacking and Magecart attacks.

Through these attacks, cyber thieves inject malicious JavaScript code into e-commerce websites to skim data from online checkout pages and steal customer credit card information. Formjacking refers to hijacking a web form, most frequently the payment page. It accounts for 87 percent of web breaches and 17 percent of total breaches. Magecart refers to the targeting of shopping carts associated with the Magento open source e-commerce platform. In September, hackers compromised more than 1,900 retailers running Magento software to steal payment details of tens of thousands of customers - making for the largest known Magecart attack ever. Overall, there have been 425 Magecart incidents per month this year.

3.  Cyber attacks will become much more sophisticated and harder to detect.

In the past, we've seen adversaries hide their tools in servers and domains with names such as (note the use of the letter, "c," instead of "o") but this activity, of course, was subject to detection. To remain hidden, formjacking and Magecart hackers will use Content Security Policy (CSP)-whitelisted solutions such as well-known tag managers to inject the JavaScript code. This will  remove the need for a "drop server*" by sending and collecting the consumer information with other solutions, allowing them to stay almost completely undetected and saving any server or cloud cost they might have. The technique proves all the more formidable - and foreboding - because the sales transaction will go through. Therefore, the compromised websites and the victims are completely unaware that the hackers have their credit card data until it's used for an unauthorized purchase.

*A drop server is a server that collects and holds stolen data.

4.  Organizations will increasingly adopt zero trust to protect themselves and their customers.

Adversaries are finding that it's effective (and lucrative) to target third parties since they are the weak links of the e-commerce supply chain. The only way to capture and block this activity is to implement zero trust solutions which confine third parties to strictly the information that the website has authorized for them to access, while blocking access to consumers' private and payment information.

Virtual web pages play a key role here. Just like a real time sandbox, they provide an exact replication of the original web page, but exclude what the third party isn't authorized to see. If the third party input is allowed, the virtual page will transfer it to the original web page. The isolation of third-party scripts from the original website ensures that any unauthorized changes to JavaScript will not cause any harm.

There is an urgency to deploy these solutions now, especially since the average e-commerce site connects to approximately 40 third-party tools. Meanwhile, we know that online shopping will only increase considerably over the next year. Given this, we hopefully will read far fewer news reports about successful formjacking and Magecart incidents in 2021 and more stories about how organizations defended themselves from these attacks by implementing zero trust.


About the Author

Hadar Blutrich 

As the CTO of the Source Defense, Hadar brings more than 15 years of varied executive experience, leading teams and developing multiple out of the box solutions. Formerly Chief Solution Architect at LivePerson global sales and alliances team, Hadar’s can do approach helped to close contracts worth millions of dollars. A technology leader, leading projects with industry giants such as Bank of America, Chase, and others working closely with their R&D and security teams.

Published Monday, November 09, 2020 7:37 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2020>