Online Journey Hijacking: Why HTTPS Isn’t Enough
March 11, 2019
by Ohad Greenshpan
With more than half of the world’s largest sites now actively redirecting to Hypertext Transfer Protocol Secure (HTTPS), it should come as no surprise that adoption of this standard has now crossed the tipping point. Table stake requirements to protect online businesses and users have and will continue to evolve, and HTTPS is one positive to response to this changing reality.
eCommerce has also evolved rapidly, and with that the possibilities and risks to users such as underground businesses and malicious third-party sources exploiting personal web browsers for their profit. One common “below the radar” method is the planting of third-party advertisements into live e-shopping browser sessions, commonly known as Online Journey Hijacking.
How does this happen despite the HTTPS safety net? Hint: Location, location, location. Let’s take a closer look at how HTTPS works and why problems like Online Journey Hijacking continue to flourish despite it.
HTTPS: Securing the Browser-to-Server Connection
The original HTTPS protocol was released back in 1995. Dubbed Secure Socket Layer (SSL), it enabled the handling of online credit card transactions by protecting payment data and helped validate the authenticity of the vendors you were doing business with. By doing this, you essentially knew that the site was trustworthy and that your transactions were safe.
SSL creates a secure, encrypted connection between the web server and the browser. With an ordinary HTTP connection, any data passed between the two was exposed. This old methodology potentially opened up the possibility of plain-text data being intercepted, stolen or even manipulated in a Man in The Middle (MITM) cyberattack.
On the contrary, data sent via HTTPS is secured via the Transport Layer Security protocol (TLS), providing three key layers of privacy and data protection to the end user:
- Encryption: Encrypting the exchanged data to keep it secure from cyberattacks and prevent eavesdropping on the user’s conversations and browsing activities.
- Data Integrity: Personal data can no longer be modified or corrupted while in transit from the browser to the server, or vice versa, without being detected.
- Authentication: Proves that your users are communicating with the intended website. It protects against MITM attacks and builds user trust.
Warning: Your Customers’ Browsers Are Probably Infected!
How, and just as importantly, where does Online Journey Hijacking take place? Think code injections targeting consumer browsers. This growing problem — impacting 15-25 percent of visitor web sessions throughout the year — involves malware-driven unauthorized product ads, pop-ups, and banners that are injected into consumer browsers or devices.
Do your online customers know that their browsers can be infected with malware without their knowledge? Are they aware of all add-ons, extensions, and plugins that they may have knowingly or unknowingly installed on their Chrome browser? Unfortunately, expecting them to have complete control and keeping track of this unwanted third-party software is quite unrealistic. And to ad injectors, the fact that most consumers browsing online aren’t even aware of these injections is something they are all-too-happy to exploit.
They’re not the only ones in the dark, however. Because these ad injections run on the consumer’s browser or device, they run beyond the visibility and control of the website operator these infected users are interact with.
The motivation behind these ads is simple: Target your visitors by layering compelling promotions throughout your site to hijack web traffic and conversions away to other offers.
How do browser injections work?
There are three main ways malicious code makes its way into a web browser: Web services knowingly downloaded by the user themselves, Drive-by downloads, and WiFi router hijacking.
Be it free browser extensions, a free PDF viewer, or even a free antivirus program, consumers download many legitimate web services that monetize themselves by allowing developers and ad injectors to embed malicious code under the hood that installs invasive promotions and tracks their online behavior.
Another common culprit is known in technical circles as a Drive-by Download. This is the unknowing downloading of malware just by visiting an infected website. Drive-by downloads exploit browser vulnerabilities (or loopholes in plugins like Flash or Adobe Reader), which lead to a remote code execution that triggers the download of the malware.
Weakly secured and public wifi router connections are also a common target, and open the door for malicious code to be downloaded to consumer browsers.
Once malicious code is running on the end user’s system, it is able to read all keystrokes, spy on all personal interactions, and latch on to internal browser APIs.
Client-Side Browsers? HTTPS Security Simply Doesn’t Go There.
Having an HTTPS connection ensures safe communication between the server and your machine. Unfortunately that’s exactly where security coverage stops. Server-side security solutions such as HTTPS and even a Content Security Policy (CSP), do not have the capability to cover malicious activity taking place on the client-side, and in this case your customer’s browser. Consumer browsers can still be infected with code injections and provide third-party people or organizations with multiple options such as Online Journey Hijacking, data harvesting, and other kinds of malicious activity that can compromise your privacy.
In the case of Online Journey Hijacking, ad injectors are able to legitimately acquire SSL certificates that enable them to fetch data from the browser. For example, malicious code can track the user’s online behavior and inject related product ads directly into their web session.
Security Doesn’t Stop with HTTPS Implementation
Online Journey Hijacking has become a widespread problem. The direct victim is the online consumer, who receives a greatly compromised experience and is often blasted with misleading ads when visiting an eCommerce website.
However, when those consumers are your customers, the worst damage caused by these disruptions is felt by your online funnel. The most costly of risks is losing these infected customers: An unsatisfied online shopper usually doesn’t come back. Secondly, every session can lead to your customers clicking on unwanted external links and doing their shopping on other, and often competing websites.
Only advanced solutions offering client-side coverage can help ensure your optimal user experience is received as planned by your customers while ensuring they are not effectively being stolen away and sent to your competition!