How to Prevent Hackers From Hijacking Memorial Day

It's a somber day, in many respects, but Memorial Day has emerged as one of the biggest shopping days of the year. A day to remember the sacrifices made by Americans who fell in battle (about 2.8 million since the Revolutionary War). It's also, for many, a time to celebrate the freedoms that America affords its citizens. That, and the day’s proximity to summer, is perhaps some of the reasons Memorial Day has turned into a day for baseball, barbecues, and buying.

Whatever the reason, Memorial Day sales bring shoppers out to the mall – and to the websites of mall stores and other e-commerce sites that seek to cash in on the Memorial Day shopping frenzy. Already, inboxes are stuffed with offers and sales, enticing recipients to click on a big deal before it's gone.

Of course, online shoppers are by this time savvy enough to avoid clicking on the wrong link. An e-mail from a store you've never heard of offering a too good to be believed deal is something you'd probably want to avoid; a message from a top retailer or e-tailer that was sent from a strange domain will go straight into the trash; an email that tells you to click on a link so you can collect the $500 Amazon gift certificate you “won” is something you would never click on.

If you don't click, you won't get in trouble – not. It turns out that even when purchasing from a legitimate, well-known, and ostensibly safe e-commerce site, customers can get hacked. How? When sites utilize third-party scripts installed by their e-commerce partners, attackers can get at data provided by customers – including credit card information, account credentials, Social Security numbers, and more.

All it takes is a keylogger – a piece of software that records the keystrokes inserted on a web page – which hackers can deliver to sites using legitimate scripts originating on the server of the e-commerce site but compromised in a hack attack: and there's not a damn thing customers can do to protect themselves.

Third-party scripts are responsible for much of the magic of the internet as we know it – the ability to chat, see videos, view ads, connect to social media, etc. In order to plug into those services, the companies responsible for them provide JavaScripts to e-commerce sites. These scripts are plug n' play usually requiring a minimum of customization.

Like any other computer code, those scripts can be compromised, and if they are, hackers can use them to crack the security of the site where they are installed. In one well-known exploit, hackers were able to corrupt banner ads that were served up by ad networks on well-known content sites.

Attackers are able to get access to ad servers and target specific groups (users of specific browsers, customers located in specific areas, etc.) with hacked versions of the ads (which looked exactly the same as the original ad, and differed only in a small additional script). With the exploit, hackers were able to hijack as many as a million users a day to their servers, where they were able to install malware or use the clicks to cheat advertisers.

They could just as easily install a keylogger to collect login data – and the only reason they didn't was likely because there was nothing for them to steal. But on an e-commerce site where users store (“securely”) credit card and other sensitive data, it's likely they would use a keylogger, or other malware to get them access to a user’s account.

Unless the e-commerce site is proactive in dealing with this, the only way customers, and sites will know that anything is amiss is when it's too late – after hackers have already stolen and sold credit card data, login credentials, or anything else they deem valuable. Sites do not have access to the code that goes into the scripts their partner provides them – and even if they do vet the code at the outset, they cannot keep an eye on those scripts 24 hours a day, and thus could miss the subtle code changes instituted by hackers.

What, then, can an e-commerce site do to protect its customers – and itself from recriminations, lawsuits, and possible bankruptcy due to the penalties and payments it might face? If customers – and sites – can't know that they are facing a threat, how can they defend against it?

One way could be to sandbox scripts – to isolate them from the other components of an e-commerce site that could be affected by malware. In such a setup, a script's code could be executed on a virtual web page, with a security system checking whether it behaves as expected. Thus, the security system would check links that the script presents to ensure that they arrive at the destination they are supposed to go to; it could determine if the script is trying to install malware on a system; or if it tries to run a keylogger or another rogue program.

If everything checks out, the code is allowed to execute on the “real” web page – and if it doesn't, it's dismissed, with the site and its customers protected from harm. Using this strategy, e-commerce sites can provide their customers with all the services they have come to expect – and ensure that their reputations remain safe, on Memorial Day and every day of the year.

What’s Hot on Infosecurity Magazine?