Supply chain attacks | What they are & how to prevent them

Supply chain attacks are when cybercriminals attack your third-party vendors in order to breach your site. Attackers exploit vulnerabilities in the third, fourth- and nth-party JavaScript running on your site to steal payment data and personally identifiable information (PII) from your users.

Up to 70% of the average website is made up of code from third parties and open source libraries. This code often calls other code, creating a supply chain of externally sourced JavaScript. Cybercriminals inject malicious scripts into vulnerable code in these external libraries, and websites that use the code now also have the malicious scripts running on their sites. These scripts skim payment data and personally identifiable information (PII) in digital skimming, Magecart, PII harvesting and formjacking attacks.

Falling victim to a supply chain attack exposes user data, damages brand reputation and leads to lawsuits due to noncompliance with privacy regulations. And without the right security protocols, supply chain attacks can go undetected for long periods of time. Recent research found that 93% of companies suffered a cybersecurity breach through weaknesses in their supply chain in 2021.

Web applications have two main components: the server and the client. The server holds the application code, stores data and processes operations. The client is the user’s browser where the web application is delivered.

To carry out supply chain attacks, cybercriminals can target the server or the client.

• In client-side supply chain attacks, cybercriminals exploit vulnerabilities in client-side JavaScript to inject malicious scripts that skim payment data and PII. There are many types of client-side supply chain attacks, but most often these take the form of digital skimming and Magecart or formjacking and PII harvesting.
• In server-side supply chain attacks, cybercriminals compromise the code that runs on the server side. This allows attackers to steal stored customer or employee data, access and modify internal configurations, hijack bandwidth or intercept money transfers.

More than 99% of websites use code from third-party vendors to build their sites. Examples of this are social sharing buttons, advertising iframes, payment iframes, chatbots, analytics and metrics scripts, A/B testing scripts for experiments and helper libraries such as jQuery.

In order for such code to work, developers must grant the third-party JavaScript some level of access to their site, apps and data. This means that JavaScript has the ability to access, modify, create an alternative for and remove anything from the page, including UI elements, object prototypes, storage assets and network activity.

Cybercriminals understand the power that JavaScript has. They target weaknesses in this code, thereby gaining access to every website that uses it. The goal is to steal PII and payment information. This stolen data fuels a continuous cycle of cyberattacks, including credential stuffing, carding and account takeover (ATO). Here are a few of the vulnerabilities that are commonly exploited in supply chain attacks:

• DOM Modification: The Document Object Model (DOM) is a programming interface for web documents that represents a webpage and the relationship between all of its elements. It allows JavaScript to interact with and modify a page. By modifying the DOM, malicious JavaScript can display fake content, serve unauthorized ads, show a made up form asking for PII and PCI information, and make other changes to a webpage.
• Browser Storage Data Access: Today’s browsers support cookies, session storage, local storage and other types of web storage, all of which usually hold sensitive user data. Third-party JavaScript likely has the ability to read and modify this storage. If cybercriminals exploit this code, they can access or change PII, social network tokens, affiliation codes, session keys, user histories and clickstreams.
• Network Sniffing and Manipulation: JavaScript code can extend or modify supporting system software locally to change network call parameters, content, headers and target domains — also known as a monkey patch. In addition, it can clone its entire content and modify the target, thus replaying the same network request. Cybercriminals can abuse this capability to fake the appearance of a browser or a web application.
• Data Harvesting: JavaScript can monitor browser events, form field input changes and user interactions, and collect the data. If the code is compromised, any data on an application could be stolen and exfiltrated by cybercriminals.

Client-side supply chain attacks can easily go undetected for several reasons.

• Lack of visibility at run-time: JavaScript code runs on the client side, meaning that it runs on users’ browsers rather than the central server. Thus, it can be difficult to detect unauthorized changes at runtime. This is especially true for scripts that load dynamically in users’ browsers at runtime. Also, the third-party script behavior at the runtime is unknown and it could load resources from malicious domains.
• Frequent code changes: Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, often without their immediate knowledge.
• Nth-party vendors: Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for code may be undisclosed, lengthening the software supply chain and increasing business risk. It may be the nth-party script down the line that is vulnerable, and this can affect the entire supply chain.
• Insufficient security reviews: Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and thus may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.

Supply chain attacks negatively impact businesses in several ways.

• Damage to brand reputation and consumer trust: If your brand suffers a supply chain attack, consumers whose data was compromised will lose trust in your brand and go elsewhere. Furthermore, press coverage of the attack may dissuade new customers from choosing to engage with your company.
• Lawsuits: Consumers may file lawsuits against businesses who expose their personal data to cybercriminals in a supply chain attack. Brands are liable for any data breach on their site, including one that arises from third-party components and services that are introduced to users from a software supply chain.
• Regulatory fines: Many countries and states have enacted data privacy legislation, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI DSS). Businesses are liable for hefty fines if they do not comply with these regulations — even if it’s due to an attack on a third-party vendor.
• Impaired functionality: Supply chain attacks can affect a company’s ability to deliver products and services. This affects business continuity and creates data inaccuracies, making it hard for applications that use a compromised vendor to function. This results  in revenue loss and a competitive disadvantage.
• Lower stock value: Your stock price may plummet following a supply chain attack, and investors may sell your stock to circumvent losses.

All in all, supply chain attacks lead to severe financial losses and consequences.

The first step in preventing supply chain attacks is vetting your third-party code vendors. Before onboarding a new vendor, ask them detailed questions about their data security protocols and compliance with privacy regulations. Include specific security requirements and penalties for non-compliance in vendor contracts to mitigate the possibility of supply chain attacks.

Vetting your vendors is a great start, but the best way to prevent supply chain attacks is to enable automatic monitoring of all client-side JavaScript behavior on your website, so you can catch malicious code activity in action. Inventorying your website and network forms for anomalous behavior allows you to see client-side JavaScript at work. Take a zero-trust, least privilege approach to third-party vendors, and do not allow JavaScript code more access rights and privileges than are necessary for it to function properly. Continuously assess and validate JavaScript code that accesses your sites and networks.

Traditional cybersecurity solutions like web application firewalls (WAFs) are insufficient in protecting the client-side against client-side supply chain attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of malicious code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration and deployment cycles.

Content security policies (CSP) are often the first step for many web application security professionals. Because CSPs were originally used for protection against cross-site scripting, they need a lot of tuning. CSPs alone don’t provide any protection against a compromise of a trusted domain that can be used to inject a skimmer on the website. And with CSP, a script is either on or off. More granular control is needed to prevent data exposure with disrupting script functionality.

Modern client-side application security solutions can continuously monitor all of the scripts on your website for anomalous behavior, using CSP rules and granular JavaScript blocking to stop malicious script injections from loading and prevent data transfer.

HUMAN Client-Side Defense is a client-side application security solution that protects websites from client-side supply chain attacks. The solution continuously monitors and builds a behavioral baseline of all first-, third- or Nth-party client-side scripts on a site and flags anomalous activity, including behavior changes, communication with new network domains or DOM modifications. Client-Side Defense provides robust insights into JavaScript activity over time and uses HUMAN client-side mitigation, a combination of CSP and granular JavaScript blocking, to mitigate risk. This prevents data breaches and ensures compliance with privacy regulations.

What is digital skimming and how does it work?

What is Magecart? | Attack types & prevention

What is personally identifiable information (PII) harvesting?

What is formjacking and how to prevent it

What is PCI DSS compliance? | Requirements & how to comply