Researchers from Israeli cybersecurity firm Source Defense analyzed 4,300 major websites. According to their report, websites in the sample averaged 12 third-party scripts and three fourth-party scripts.
Source Defense defined a third-party script as “a JavaScript resource loaded into a webpage to provide functionality beyond the core functionality of the website.”
As CPO Magazine explains, Magecart attacks—the collective term for various groups using malicious scripts to steal payment card information—have surged in prevalence in recent years. In 2018, a Magecart attack on British Airways ended up exposing the personal information of about 500,000 people and leading to a fine of more than $200 million.
“While retail and credit card breaches grab the most headlines, this is a pervasive and relatively unchecked risk to both security and privacy across all verticals,” Source Defense CEO Dan Dinnar said in a statement. “It’s also a fast-growing and extremely volatile issue with regard to sensitive data.”
The financial services industry was the most affected, according to the Source Defense report, with an average of 16 third-party and six fourth-party scripts per site. Healthcare was next, averaging 13 third-party and five fourth-party scripts, along with travel, averaging 13 third-party and four fourth-party scripts.
A survey conducted in fall 2021 by CRA Business Intelligence, part of CyberRisk Alliance, further illuminates the potential threat. Participants included more than 300 IT and cybersecurity decision-makers who use third-parties. Of these, 60% said they experienced an IT security incident in the prior two years due to a security lapse that began with a third party. What’s more, 45% said these exposures cost them $1 million or more.
According to Security Boulevard, shadow code “means the unauthorized use of code derived from internal or external sources to help facilitate software and application development.”