Hosting Company Warns Of Increased Supply-Chain Attack Risk

News Image
Supply chain attacks are difficult to diagnose because there is little evidence of a breach on the store itself. The store may follow network and web security best practices and be infected anyway.

Future Hosting, a managed server hosting provider, has advised eCommerce retailers to be vigilant of the risk posed by supply-chain attacks. The advice comes in the wake of a number of massive data breaches caused by third-party libraries infected with malicious code.

The Magecart credit card scraper is the most prominent example of malware injected via third-party JavaScript libraries. In recent months, several large eCommerce stores and innumerable smaller stores have been infected with Magecart. The malware scrapes credit card numbers and sends them to servers under the attacker’s control.

Rather than attacking eCommerce stores directly, supply chain attacks focus on third-party libraries and tools. In the case of Magecart, one vector was a JavaScript library developed by an AI company. The attackers injected malicious code into the library, which was then imported into numerous eCommerce stores.

“As a server host, Future Hosting supports thousands of eCommerce stores. We are concerned that the current rash of supply chain attacks is likely to damage confidence in the eCommerce market, especially in the run-up to the holiday season,“ said Maulesh Patel, VP of Operations of Future Hosting. “Supply chain attacks are difficult to diagnose because there is little evidence of a breach on the store itself. The store may follow network and web security best practices and be infected anyway.”

The number of supply chain attacks has increased because software repositories are an easier target than well-secured eCommerce stores. A supply chain attack can infect hundreds or more stores and sites with minimal investment from the attacker.

Although supply-chain attacks are difficult to find, they are not impossible to prevent. Modern web applications typically rely on dozens, if not hundreds, of third-party libraries. It may not be feasible to thoroughly vet everyone, but eCommerce retailers should attempt to audit the code running on their servers.

Web security safeguards such as Content Security Policy (CSP) can reduce the risk. CSP specifies whitelisted sources from which code can be loaded, limiting the effectiveness of some Magecart attacks. CSP can be used in concert with Subresource Integrity (SRI) to ensure that malicious code is not executed in users' browsers.

About Future Hosting, LLC

Founded in 2001, Future Hosting is a privately held leading Internet solutions provider specializing in managed hosting, including Dedicated Servers, Virtual Private Servers, and Hybrid Virtual Private Servers. The company has built a strong reputation for its high-quality service, innovative pricing models, and 3-hour Service Level Agreement. Future Hosting is based in Southfield, Michigan. For more information, visit http://www.futurehosting.com

Get The Bar Code News once a month, once a week or once a day. Subscribe here.