A sticker pasted at the entrance of a Chicago-based business that lets customers know that they accept credit cards. (Photo by Scott Olson/Getty Images)Researchers on Monday discovered a new Magecart campaign that has impacted at least 44 e-commerce sites.In a blog post, Jscrambler researchers said the incident underscores how risky client-side security can be if the web supply chain is left unchecked. The researchers said in what appears as a new way to acquire victims cheaply and easily, attackers took over a defunct internet domain that previously hosted a JavaScript library decommissioned in December 2014.The researchers said companies running the JavaScript failed to remove it from their website, likely because of a lack of visibility into third-party scripts and/or poor security policies. This attack has been underway since Dec. 20, 2021, and uses a loader script that resembles Google Analytics, a common JavaScript included in many websites. Another version aims to resemble Google Tag Manager, the researchers said, done for deception only, as the real endpoint to contact is encrypted or encoded.
“Our discovery of this web skimming attack underscores the importance of practicing good client-side security hygiene,” said the researchers. “Most web applications are a complex mash-up of elements leveraging code from the web supply chain and most security teams don’t have visibility into this third-party code running on their website — they don’t know if it’s behaving as it should or misbehaving, whether accidentally or maliciously. This security blind spot can create a false sense of confidence in your assessment of risk.”The Magecart skimming attacks are another chapter in the software supply chain story, said Scott Gerlach, co-founder and CSO at StackHawk. Gerlach said developers should start defending their apps and APIs by actively checking in on the public packages and repositories they use.“But that can only get you so far with limited visibility into how the third-party code is running,” said Gerlach. “We need to dedicate more time and money to maintaining package management services if we expect the software supply chain to become more secure.”
Securonix has announced its acquisition of ThreatQuotient, a move aimed at enhancing its all-in-one security operations platform with broader threat intelligence capabilities, reports SecurityWeek.
Jamfs newly released Security 360 Report underscores the growing complexity of cybersecurity risks across mobile and Mac devices used in enterprise environments, with phishing, infostealers, and unpatched vulnerabilities emerging as top concerns, according to IT Brief Australia.
Nearly all Chief Information Security Officers recognize the value of threat intelligence, yet 98% struggle to act on it effectively, according to a global Trellix survey of over 500 CISOs across multiple sectors, according to Tech Monitor.
