
AppSec predictions 2021: Supply chain attacks are a greater threat to all industries
This is the final post in a three-part series of AppSec predictions for 2021. You can read the complete series here.
Every year(ish), I publish our AppSec predictions about three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks. This year our predictions are informed by our augmented Threat Intelligence Service, which is a part of Barracuda Advanced Bot Protection. In short, we have significantly more data informing our conclusions.
Supply chain attacks spread further and become a bigger threat across industries
Supply chain attacks are basically attacks against the software supply chain. This takes many forms, but in this webinar we talk about the attacks against web applications. These attacks were first discovered around 2018 and dubbed Magecart because they were primarily targeted at Magento-based online shops. The attackers first identified third-party JavaScript that was popularly used in checkout pages. Once they did this, they hacked these source files and inserted their card-skimming code. When a user loaded the site, the now malicious JavaScript was loaded, and it stole the user's credentials.
Through 2019 and 2020, there were a number of large attacks by this group, and they hit some high-profile targets like British Airways. At this point, thousands of compromised shops have been identified, and many cybercriminal groups are operating with this attack. Some of these compromised scripts are quite advanced — when you run a web vulnerability scanner, they don’t execute their malicious code and pretend to be working normally, preventing detection. So there are some fairly advanced and organized groups working on this. You also have the Inter Skimmer, which has become the most popular tool for attackers wanting to execute this type of attack. Like bots, there are actual support channels, with proper research and development behind the products, and there is an underground economy.
This is an example of a skimmer that Visa detected in August 2020. As you can see, the creators went to great lengths to avoid being discovered and removed from sites that were using the vulnerable JavaScript.

This graph from HTTP Archive shows the breadth of the problem — about 80% of the scanned sites used vulnerable third-party JavaScript.

AppSec in 2021 continues to be interesting
When it comes to bots and reselling, we see that legislators are getting involved. For example, in the UK, they are attempting to block resale above the MSRP of products. There is precedent for this. In 2015, the U.S. passed a law against ticket scalping, after a massive surge in complaints about scalpers. Whether these new laws work or whether the bot makers continue their behavior of poking holes in parental rules to get their cookies remains to be seen.

