Researchers from Israeli cybersecurity firm Source Defense analyzed 4,300 major websites. According to their report, websites in the sample averaged 12 third-party scripts and three fourth-party scripts.
As CPO Magazine explains, Magecart attacks—the collective term for various groups using malicious scripts to steal payment card information—have surged in prevalence in recent years. In 2018, a Magecart attack on British Airways ended up exposing the personal information of about 500,000 people and leading to a fine of more than $200 million.
“While retail and credit card breaches grab the most headlines, this is a pervasive and relatively unchecked risk to both security and privacy across all verticals,” Source Defense CEO Dan Dinnar said in a statement. “It’s also a fast-growing and extremely volatile issue with regard to sensitive data.”
The financial services industry was the most affected, according to the Source Defense report, with an average of 16 third-party and six fourth-party scripts per site. Healthcare was next, averaging 13 third-party and five fourth-party scripts, along with travel, averaging 13 third-party and four fourth-party scripts.
A survey conducted in fall 2021 by CRA Business Intelligence, part of CyberRisk Alliance, further illuminates the potential threat. Participants included more than 300 IT and cybersecurity decision-makers who use third-parties. Of these, 60% said they experienced an IT security incident in the prior two years due to a security lapse that began with a third party. What’s more, 45% said these exposures cost them $1 million or more.
According to Security Boulevard, shadow code “means the unauthorized use of code derived from internal or external sources to help facilitate software and application development.”