Future perfect: Jscrambler’s client-side protection and AI cybersecurity
January 9th, 2024 | By John Leyden | 8 min read
AI cybersecurity is so hot right now. The corporate upheavals at OpenAI – the firm behind the ChatGPT chatbot – have given artificial intelligence an even higher profile over recent days but AI technology plays a prominent role in everything from mapping apps to corporate web development.
AI cybersecurity: JavaScript ex-machina
AI complements the work of human programmers by making the development process more efficient through the use of coding assistants.
JavaScript has moved from a tool for internal developers into a technology that allows businesses to improve their ability to operate and innovate on the web.
Visibility and control over how tools and AI platforms collect data are becoming increasingly important even before we consider how evolving AI technology might be abused to develop client-side attacks.
Threat actors can harness AI tools, in particular LLM (large language model) tools such as ChatGPT and Google Bard, to improve the ability to attack internal code. For example, hackers can exploit debuggers or try to tamper with code using AI-based tools.
[LEARN MORE] Anti-debugging technique
AI tools have also increased the ability of script vendors to collect more data. This creates a raft of data leakage and data privacy issues.
Novel attack vectors
Deployment of artificial intelligence can increase the attack surface of software systems whilst also setting up the possibility of more advanced client-side attack vectors.
For example, Israeli security start-up Adversa has shown how machine learning systems might be vulnerable to so-called adversarial attacks. Datasets used to train machine learning systems might be poisoned with maliciously crafted data samples, Adversa warns.
Changing the script
JavaScript plays a significant role in the integration of AI into web development. With the growing availability of machine learning libraries, JavaScript developers can now integrate machine learning and artificial intelligence into web application development through technologies such as TensorFlow.js.
Continuous updates have increased the attack surface of JavaScript, a trend that AI is reinforcing and accelerating. Modern web applications load an average of 20+ third-party scripts, creating a software supply chain risk.
Potential vulnerabilities include broken access controls, data leakage, formjacking, account takeovers, and more.
Commercial imperatives are driving the use of Javascript to support business goals, for example by allowing organizations to hyper-personalize the user experience using data from affiliate websites.
For example, e-commerce operations are using tags and scripts to gather information needed to personalize the user experience.
Advertising tags, pixel social media tags, marketing tags - chatbot, a/b testing, analytics, payment tags, performance tags, and more are all giving the business the data needed to improve the customer web experience.
AI-powered tags are collecting more and more data at an accelerating rate through mechanisms the "business" has no visibility upon and little ability to control - hence the need for businesses to rethink their security strategy.
Client-side protection
JavaScript is where the rubber hits the road in the arena of web development. Both corporate intellectual property and end users need to be protected from malicious activity delivered through the medium of dynamic web pages.
A growing number of organizations are recognizing that protecting the client side of their web apps is needed to stay compliant with standards like PCI DSS v4, and better shield their c personal data, while also serving to improve web security maturity more generally.
Businesses need a holistic security solution that can deliver a combination of advanced first-party JavaScript obfuscation and state-of-the-art third-party script protection.
Client-side risks visualized
Jscrambler offers a comprehensive client-side protection and compliance platform that includes obfuscation and runtime protection tools for safeguarding a first-party code and a solution for effectively monitoring third parties in real-time, as well as blocking their access to sensitive data.
By using Jscrambler’s platform, clients gain real-time visualization of any script that could represent a threat to the integrity of the user's data, highlighting behaviors understood as undesirable or suspicious.
Jscrambler ‘s platform can, amongst other functions, catalog all vendors and cross-reference this data with the rules that can be configured to develop a compliance policy. The software provides detection of a wide variety of attacks:
Detecting web-based supply chain attacks.
Detecting data exfiltration (e.g. Magecart).
Avoiding poisoning and tampering with the DOM.
Protecting against web-based threats and malware.
Reporting threats detected in near real-time to the backend of the applications, allowing a quick reaction to address the threat.
Gaining visibility of any client-side changes.
This collective functionality helps organizations to ensure the integrity of payment pages – a key new requirement of the revised PCI DSS v4 payment industry regulations due to become mandatory at the end of March 2025.
Magecart
Over recent years, an array of cybercrime groups have attempted to inject web credit card skimmers on e-commerce and payment websites through so-called Magecart-style attacks.
British Airways, the most high-profile victim to date, from a Magecart-style attack, was fined £20m ($25.4m) for a data breach that affected more than 400,000 customers by the UK’s Information Commissioner’s Office.
In the summer of 2018, cybercriminals gained access to an internal BA application by abusing compromised credentials for a Citrix remote access gateway. This hack was used as a toe-hold to hack more sensitive systems in a series of attacks that allowed cybercriminals to edit a JavaScript file on BA’s website, allowing fraudsters to exfiltrate sensitive cardholder data to a rogue domain controlled by the crooks, an ICO investigation found.
Client-side application security
Organizations faced with the challenge of preventing Magecart-style skimmers from covertly running on their sites and exfiltrating data can use behavior-based detection from Jscrambler to mitigate the threat.
Clients of the Jscrambler client-side protection platform include banks worldwide, a major airline in the EU, a top retailer in the US, and three top US-based entertainment companies.
Other clients operate in industries including financial services, payments, e-commerce, travel and logistics, gaming and gambling, and healthcare. Clients use the technology to guard against data leaks, regulatory infractions, and integrity violations.
Client-side Protection platform
Jscrambler has been focused on client-side security since 2010. Jscrambler provides multiple layers of client-side protection – from making code resilient to tampering and interference with scripts supplied by third-party tools and risky vendors.
The technology allows clients to protect user data and comply with regulatory standards such as HIPAA (the US Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation) as well as standards including PCI DSS.
With Jscrambler, your teams are free to take full advantage of third-party scripts and client-side innovation, confident in the knowledge that you are heavily protected from cyber attacks, sensitive data leakage, misconfigurations, and IP theft.
Jscrambler’s client-side protection platform allows businesses to concentrate on innovation while staying compliant, secure, and safe from data breaches and client-side attacks that are being powered by AI.
Jscrambler
The leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.
View All Articles