Who has been affected by the breach?
Feedify is a provider of push notification services for online websites with
over 4,000 customers around the world.
However, investigation by ZDNet.com revealed that the malicious library has been embedded on approximately 300 websites, syphoning off visitors’ transactional data.
The actual number of affected individuals is unknown as the attacks may still be under way.
Reports from the infosec experts indicate that despite Feedify’s attempts to remove the code from their library, Magecart – the group responsible for the attack – has managed to re-add it at least two times.
It’s not known how Magecart accessed the Feedify servers. The company itself still hasn’t commented on the issue.
What is Magecart?
Magecart is a hacker operation specialising in skimming credit card details from unsecured payment gateways on websites.
It seems that recently the group has switched their strategy from hacking into the online shops to attacking popular third-party scripts. This means they’re now able to hit multiple targets simultaneously.
Earlier this week it became known that Magecart is responsible for the damaging attack on the website and mobile application of British Airways,
compromising the financial data of 380,000 people.
The same script has been used on Ticketmaster website, compromising payment card data of
nearly 40,000 individuals.
The list of Magecart victims goes on and includes companies such as
- CMS Clarity Connect
- Annex Cloud
and likely many others.
Is adding third-party elements worth the risk?
Websites now have dozens if not hundreds of third-party elements embedded in their code.
The Magecart hacks show the real danger of this, especially for the websites processing sensitive data like payment card details.
Since these components are hosted on external servers, you have no control over them, and limited possibilities to detect potential breaches resulting from the malicious code modifications.
If you decide to work with SaaS vendors using third-party scripts, your website’s security becomes as strong as the weakest link in your vendors’ ecosystem. (In the case of TicketMaster, the weakest link was a third-party script providing a chatbot used to communicate with clients.)
To eliminate that potential weak link, it’s better to steer away from third-party scripts and move towards products hosted on your own infrastructure or in a private cloud.
That way you remain in full control over any scripts implemented, and can apply additional security measures to prevent unauthorized access to clients’ sensitive transactional data.
There are several vendors providing such products with on-premises and private cloud options. One of them is Piwik PRO.
If you want to learn more about our offer or simply have some more questions about the recent breaches, don’t hesitate to contact us. Our team will be happy to help!