Web Application Supply Chain Threats

Over the past several weeks, I’ve learned more about the supply chain for household items than I’d ever have cared to know. Who knew that the supply chain for toilet paper was so fragile?!

Those of us who focus on defending web applications are increasingly turning our attention to the supply chain that makes up modern web applications. Following a string of fraudsters pilfering payment details in payment skimming attacks, the Payment Card Industry (PCI) has raised awareness of these risks by issuing a series of warnings and educational webinars on the topic. We have repeatedly seen attackers gain control of first or third-party JavaScript running on websites to pull off these attacks.

Know more about the cyber security consultants.

In a recent study of web traffic, researchers at Akamai discovered that 67% of content on the average website is delivered by a third-party. It isn’t surprising that attackers have turned their attention to the supply chain for web applications, since it now has critical mass.

Trends in development suggest that the share of content sourced from third parties will only grow over time as website owners look for faster, cheaper ways to introduce new functionality.

Attackers can also achieve greater yields if they can compromise a provider of third-party JavaScript as it could potentially give them access to trusted JavaScript running on hundreds, or even thousands of websites.

Not only are these attacks growing in frequency, but attackers are drawing inspiration from techniques previously observed in endpoint malware evasion. The Pipka strain of malware discovered by Visa’s fraud team demonstrated the capability to remove itself from the .html once it has executed. This type of technique is common in malware observed in corporate networks, but is novel for malware embedded in website JavaScript.

Attackers have also been observed employing domain generation algorithms (DGA) for the command and control (C2) component of formjacking attacks, another example of borrowing a technique long observed in desktop malware. The DGA has the impact of making static blacklists of C2 infrastructure less useful. The ongoing evasions are to be expected and will continue to challenge web defenders.