12% of websites that have externally scanned themselves with WebScan had confirmed malicious code stealing their customer payment card data off their website.
Following a recent update to our free website security scanner, WebScan, with some of the new Indicators of Compromise (IOCs) our forensic team have been seeing across the eCommerce industry, its fair to say that we have been surprised by the results so far.
With a global spread of websites scanning themselves on WebScan, here's the breakdown of results:
We offer two types of Website Security Scan:
What's the background to WebScan?
The last 24 months have been exceptionally busy for our forensic team - predominantly with assisting small-to-medium sized eCommerce businesses with a suspected breach - and the trend is showing a rapid growth in the numbers of eCommerce businesses being hacked and losing their client payment data.
In most cases the victim businesses had no idea that they had been hacked until they received a call from their bank - usually around 6 months after the criminals began stealing their customer payment card data. Considering the potential liabilities of up to EUR 18/card stolen, over the course 3-6 months these data compromises can add up to have a fairly serious financial impact on a business.
Very few of these businesses had any understanding of the security status of their website. As a result we built WebScan to help organisations understand whether they are at risk, showing signs of already having been compromised or - hopefully - looking nice, clean and secure.
WebScan helps to raise awareness on the importance of maintaining a secure website - the often misunderstood issue is that online businesses believe themselves to be safe and secure because they use a well-known, secure payment processor. What they forget, or perhaps misunderstand, is that if the website is insecure, it does not matter how secure the payment processor is. If the website is insecure, an attacker can easily compromise the website and manipulate the code to change the checkout process and harvest card data - this happens all the time. Some of the attacks are becoming so effective that they will easily fool an average-to-good developer.
So what can you do about your online business - how do you secure against these issues?
A few simple steps can be taken to considerably improve the security of an online business - here are a few examples:
1. Maintain up-to-date software.
In recent years, the vast majority of businesses, large and small, are using platforms such as Magento, Drupal, OS Commerce, WordPress, Joomla! and many others. They do so for good reason – these frameworks make the building and maintenance of a highly effective e-commerce business a lot easier than doing a custom or bespoke build. The key with using these platforms is that you need to make sure you are using the most up-to-date version – and that you update your website as soon as a new patch is issued. Huge numbers of websites are hacked daily just because they are using old versions of software on their website. In addition, using a web application firewall ensures that while you may not be lightning quick in rolling out the latest update, the web application firewall will protect your website like a “virtual patch”.
2. Create a custom admin path.
Attackers begin many of their attacks utilising automated techniques that look for standard configurations on websites to then initiate brute force attacks on username/password combinations. By changing your Admin Path from yourwebsite.com/store/admin to yourwebsite.com/store/alskdj (or whatever you want), the attackers will have to work a lot harder to find your admin page to attack.
3. Malware scanning.
Use an internal malware scanning solution to identify the latest malware being used to steal data from online businesses – Foregenix FGX-Web solution is one of the most comprehensive malware scanners available – designed for website-specific malware and updated frequently by our forensic team.
4. Passwords.
Our forensic manager, James Allman-Talbot, wrote a great article on passwords. We would highly recommend you follow his advice and create a very strong, complex, unique password to access your website admin interface. Even better would be to implement 2-factor authentication for all your users.
5. Monitor for Unprotected Credit Cardholder Data.
Most e-commerce websites are correctly set up to handle transaction data securely – often by using a secure payment service from a payment service provider. However, considering that payment cardholder data is highly valuable to a criminal, many websites continue to fall victim to payment cardholder data theft.
The attacks usually involve malware, changes to a website and unusual system behavior – all of which should be detected with other layers of detection and defence, such as those highlighted above. But if the attackers manage to evade detection to the point where they are able to extract transaction data, usually they will store that data in a file somewhere on your website for later harvesting. More often than not this payment card data awaiting extraction is not encrypted.
A regular “PAN scan” of the website’s file system and databases for unprotected credit cardholder data will identify these files ready for exfiltration and alert you to the issue.
6. Use an Advanced Web Application Firewall.
Our research in carrying out forensic investigations on online businesses over the last decade has shown that in over 95% of all hacked e-Commerce businesses investigated by our team over a 10 year period have fallen victim to one of these three major threats:
A properly configured and managed Web Application Firewall will protect your website against these attacks. Not only that, a Web Application Firewall will provide a website with “virtual patching” when a zero day vulnerability is released. This protection will buy a web admin time to test the patch and then update the system in his/her own time, knowing that the website is protected.
Foregenix FGX-Web includes an Advanced Web Application Firewall as standard for all FGX-Web clients.
If you're wondering how to do all of this, our team can help you understand the current threats on your website - and demonstrate how website security can be simplified for your you to protect your online business going forward.