Most code operating on a typical website is controlled by third parties not controlled by the website. And that poses security risks.

Chris Olson CEO, The Media Trust

Chris Olson CEO, The Media Trust

E-commerce isn’t what it used to be. What was once a simple, worry-free task is now burdened with security challenges such as ransomware propagation and payment compromises

It seems that only a few years ago, consumers just clicked on a link and quickly bought their desired products. That experience has now transformed into a full-fledged shopping phenomenon complete with product research, price comparisons, recommendation reviews, three-dimensional fitting—and this is all before the actual purchase and shipping option selection.

Accommodating customer needs and creating this rich tapestry of virtual merchandise displays requires a variety of functionality. Those new functionalities, however, are not as homegrown as they once were, which presents a bevy of risks to the e-commerce operator. Managing these new-found digital risks starts with knowing who executes in your e-commerce environment at all times in order to ensure it is free of malware, performance-sapping vendors and privacy-violating data collection activities.

Third-party code is out of control


The digital environment has experienced a paradigm shift. At one time, 90% of all code executing on a typical website was owned and operated in-house. Today, that figure has almost been completely inverted with at least 78% of code now provided and managed by third parties that deploy their applications outside of the purview of the website operator’s IT, data privacy and security infrastructures according to historical research by The Media Trust. Increasingly, this code is unknown to IT and, therefore, becomes a significant contributor to “digital shadow IT”.

On a typical website 78% of code is provided and managed by third parties that deploy applications outside of the purview of the website operator’s IT, data privacy and security infrastructures.

The problem with digital shadow IT is that it is frequently targeted by hackers and cybercriminals who—knowing they can evade detection by the website operator—continuously probe those applications for vulnerabilities to inject malicious code.

It happens more than you think. Magento’s open source content management system tailored for e-commerce and used by more than 200,000 companies worldwide, was one such example in which cybercriminals in 2015 used malware to infect thousands of domains in a matter of days through third-party extensions. In 2014, Gigya, a company that offers identity management and a third-party code library for website developers, also turned out to be a target when The Syrian Electronic Army (SEA) hacked into its DNS registry, which enabled the hijack of Gigya’s customers, including brand-name websites like Betty Crocker, Dell, Office Depot, and Walmart Canada. Even web analytics firms such as Clicky aren’t immune. Clicky was spoofed to execute code which profiled visitors and injected malware onto devices of government-affiliated individuals.

Trusting strangers is not a security policy


Many retailers rely heavily on third-party services to render their websites and applications. From data management platforms, content delivery networks, automated marketing services, video hosting platforms, product reviews, to social media tools and more, third-party code permeates almost every consumer-facing website. The problem is that these services can unintentionally function as a conduit for malware and latency, as well as surreptitiously monetize and track consumers’ behavior on the site. Because they operate outside the retailer’s cybersecurity infrastructure, the website operator’s IT or marketing teams have no visibility or control over this vendor activity, nor what the consumer sees in their browser.

As more consumers use digital channels to search, compare and buy goods, the industry needs to adopt quality and security best practices. This is even more critical for ad-supported e-commerce websites which need to protect the consumer experience from compromised advertisements or “malvertising”, poor ad performance in the form of page takeovers and auto-audio, and more. Inability to properly control the advertising experience—from ad creation to landing page—exposes retailers to brand damage and potential regulatory violations.

An e-commerce site that has been hacked, even for a few hours, results in lost transactions—those few hours negatively affect consumer confidence, which can translate into millions of dollars of lost revenue.

Taking back control


To protect the brand and ensure a safe browsing experience, retailers must establish and maintain a strong website security posture as outlined by IT and/or Information Security professionals. Strong governance sets the processes and cadence for detecting the presence, identifying the actions, and evaluating the validity of the third-party website.

Prevention boils down to deployed policies and processes that help curtail the odds of an attack based on known entities and confirmed threats. However, that becomes more complex with unknown entities or yet to be confirmed threats.

Securing the website

The ability to effectively manage an e-commerce site requires intricate command of the technology, processes and vendors needed to render pages that not only meet revenue goals, but do so without compromising the user experience. This means websites must be free of malware, performance-sapping vendors and privacy-violating data collection activities.


The best defense is information. The ability to identify third-party vendors (and the fourth and fifth-party vendors they call) is half the battle. Continuous monitoring of the website from your customers’ points of view, will detect all executing vendors, and how these vendors and/or their actions—specifically the domains executed and cookies dropped— change according to user geography, OS/browser, device and established internet behavior profile. Collecting the right vendor intelligence will enable retailers answer the following six questions about each vendor contributing to their Digital Shadow IT:

  • Who is executing on my website?
  • What requested functionality is the vendor providing?
  • Who in my organization requires/authorizes this functionality?
  • Does the vendor execute additional unwarranted functionality, e.g., social media widgets dropping cookies, video platforms tracking user behavior beyond the session or backend analytics launching executables?
  • Do these vendor activities comply with company and regulatory policies?
  • How and when does the authorized behavior change?

Unless security professionals have a true digital risk management program in place to monitor all code executing on their website using multiple user profile combinations, there really is no other way to defend their websites against breaches. This preventative stance is especially valuable for e-commerce website security, where there is a direct impact on revenue, reputation and sensitive customer information.

The Media Trust provides security and privacy services for website operators, including scanning ad tags and third-party code for malware, data privacy violations, and performance issues.