igor - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How does CSIM hijack e-commerce traffic?

Client-side injection malware, or CSIM, can manipulate how Web advertisements are served on a user's browser. Expert Nick Lewis explains how this happens and how enterprises can stop CSIM.

What is client-side injection malware and how does it work? Are there any additional security controls enterprises should put in place to mitigate such a threat?

Client-side injection malware is another variant of adware, potentially unwanted programs, spyware and other similar types of malicious code. CSIM requires unauthorized code to be installed on the endpoint to manipulate the ads displayed in a user's browser. The code could be a browser extension, an app that monitors for e-commerce discounts or "deals," or even something that changes network settings on an endpoint to alter what ads are displayed on the endpoint's browsers.

In a recent study, security vendor Namogoo outlined how there are millions of dollars to be made by manipulating what ads are displayed on an endpoint and hijacking a website's e-commerce traffic. CSIM authors can profit from displaying certain ads or from preventing certain ads from being displayed on an endpoint. For example, an ad displayed on a webpage could be changed from the intended ad to an ad from a competitor.

There are some additional security controls an enterprise can implement to monitor for CSIM impacting its ads displayed on its website. Security vendors such as Namogoo, Sucuri and others offers a service that can prevent these types of attacks by requiring an additional line of JavaScript code in a website to detect if CSIM is in use on an endpoint. An enterprise could also manually monitor the e-commerce traffic to its website and ask for similar information from its ad networks to see if the e-commerce traffic generated a similar and expected volume of connections to the ad network. If a discrepancy is found between the two, then it's possible the e-commerce traffic is being hijacked by CSIM.

The same controls for preventing malware on an endpoint work for client-side injection malware, with the caveat that some companies that provide adware as well as coupon, deal or price notification apps operate on the border of legitimacy and might start changing how ads are viewed on an endpoint. As a result, additional vetting might be necessary to evaluate the risk of a particular app or program from such companies, as well as the risk of it including rogue functionality.

Next Steps

Find out how enterprises can defend against malvertising

Learn more about the malvertising attacks on Yahoo ads

Discover how banks and governments were hit with invisible hijacking attacks

This was last published in January 2016

Dig Deeper on Web browser security