How to protect your organization against ad-based JavaScript exploits

According to DEVCON, cyber criminals continue to exploit vulnerabilities in JavaScript to attempt to steal sensitive consumer data through advertisements.

Java and JavaScript dominated software development in the 2010s
Ruby on Rails and PHP were popular in the short term, but in the long term, and Python is increasing again.

JavaScript has long been a favorite target of cyber criminals who take advantage of vulnerabilities in the web-based code to implement malware against unsuspecting victims. A specific type of attack that JavaScript exploits is malvertising or advertising threats, which use online advertisements to spread malware.

DEVCON’s 2019 Holiday Threat Report, released on Wednesday, illustrates how criminals use ad-based attacks and offers advice on what organizations can do to better protect themselves against these types of campaigns.

SEE: The 10 most important cyber attacks of the decade (free PDF) (TechRepublic)

Advertising threat is defined by DEVCON as the armament of advertising technology to spread malware, Trojan horses and other malicious attacks to consumers and to deceive marketers and publishers.

During the 2019 Christmas shopping season between Thanksgiving and Cyber ​​Monday, the level of lower-risk digital advertising even dropped to 0.07% from 1.25% in 2018, DEVCON said. However, the number of highly advanced attacks with this method increased. More than 60% of malicious advertising threats from this period came from highly advanced attacks such as Led Zelpdesk, Lucky Star, Avid Diva and Invisible Ink.

These more advanced attacks use both social engineering and exploited JavaScript in an attempt to steal consumers’ credit card information or mislead a user into downloading a trojan.

How cyber criminals bind their victims

In this regard, cyber criminals apply a few tactics to attack their victims:

  • Misuse of the code of a service provider. Bad actors create fake accounts with ad networks and use that company’s ad tags to deliver exploits on websites without jeopardizing the target company’s servers.
  • Partner exploitation. One type of attack that has surfaced is Magecart, which skips e-mail addresses, passwords and other sensitive data from online payment forms in an attempt to steal that information. To carry out these attacks, cyber criminals will look at checkout and login pages to find external partners that can easily be compromised. The attackers then implant malicious code into those pages to collect the sensitive data as it is entered on the form.
  • Exploitation of code vulnerabilities. Cyber ​​criminals target companies that use JavaScript or third-party libraries and try to exploit vulnerabilities in the script itself.
  • Infect JavaScript with malicious code. Cyber ​​criminals can use JavaScript to hide infected items such as image files, fonts and advertisements. For example, an image for an advertisement infected with malware can be hidden with JavaScript code.

“While these less advanced hackers are being excluded from the ad threat game, the more advanced bad actors are not only becoming more covert in covering up these attacks, they have escalated the types of exploits, broadened the attack surface and are not limiting these attacks on the ad tag scripts, “said DEVCON CEO Maggie Louie in a press release. “The real risk is data breaches, which can lead to huge fines in the new regulations. Advertising threat is a security gap that should not be managed by marketing teams, just like phishing attacks by email marketing teams.” threats must be managed and monitored by security teams. “

SEE: How to build a successful CIO career (free PDF) (TechRepublic)

How to protect your organization

To protect your organization against ad-based attacks that use JavaScript, DEVCON offers the following recommendations:

  • Focus on creating a safety culture in your company. The CTO, CISO and / or CIO must have the necessary means to maintain site security in all potential threat areas. Code may not be tested or installed without being checked by the security team. Your security teams must also monitor and limit all third-party JavaScript risks.
  • Perform a security audit. Use an independent security company to fully audit all third-party and fourth-party JavaScript on your site and decide how you can monitor that code continuously.
  • Perform an annual penetration test. Use an independent security company to perform an annual penetration test to detect any gaps in your security model. If you move assets to the cloud, you must also determine whether you are working with the cloud provider in a shared security model and you must be aware of your respective responsibilities.
  • Expand your plate. Consider appointing a CISO or CIO to sit on the board.
  • Search for security risks. Regularly evaluate security risks and mitigation measures in all your departments and
    emerging technologies
  • Look at your cyber security insurance. Check your cyber security insurance to make sure you have the right controls and mitigators to meet all your requirements.

Cyber ​​Security Insider Newsletter

Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday

Register today

Also see

Nightly News Complete Broadcast (October 25th)

5 Pence associates test positive for Covid-19, nine days to go: candidates prepare for final days of campaigning, and 43 states and D.C. see a 10 percent Covid-19 case surge.Oct. 26, 2020

Sense energy monitor review: Your patience will be rewarded with great insight into your home’s electricity use

The gadget provides deep awareness of your power consumption, but the pace of discovery might frustrate you. Sense is a clever little box that will give you deep insight into your home's entire power usage. Today's Best Tech Deals Picked by TechHive's Editors Top Deals On Great Products Picked by Techconnect's Editors Table of Contents…

Hundreds of thousands lose power as Northern California braces for more wildfires

Hundreds of thousands of people lost power in dozens of California counties Sunday as weather forecasters predicted the most powerful winds of the year and the potential for more raging wildfires, officials said.Pacific Gas & Electric, which supplies power to millions across Northern and Central California, had shut off electricity to 225,000 customers by Sunday…

Leave a Reply