Fraud Detection & Prevention in Public Sites

Public sites are more vulnerable to attacks and frauds as they offer unrestricted access to every visitor. If you do not control these attacks and frauds at the beginning, they will lead to stealing sensitive information, hijacking computers, devices or can even damage your business reputation by misusing any information.Let’s take a look at three common frauds and attacks seen in public sites and their preventive measures:

XSS Attacks

In XSS or Cross-Site Scripting attacks, malicious scripts are injected into websites. These attacks generally occur when a web application runs an input from a user without validating or encoding it.

Use Case

Challenge: Frequent Cross-site scripting (XSS) attacks were taking place on a customer’s Visualforce page. Since developers and IT staff overlooked this initially, these attacks grew rapidly and started corrupting sensitive files and stealing important information from the website.

Although IT security staff had started spending most of their time detecting these attacks and fixing the VF page, it was affecting their productivity. So, the client required an XSS attack prevention solution that could not only safeguard the VF page from attacks but also let the IT staff focus on their core operations.

Solution: Visualforce pages had open JavaScript, which  could easily be manipulated and corrupted. Our experienced Salesforce developers used JSENCODE function to safeguard the customer’s VF pages from XSS attacks.

The JSENCODE function was applied to encode text strings and merge field values by adding escape characters such as backslash (\) before any unsafe JavaScript characters. {!JSENCODE(text)} replaced text with the merge field or text string that was containing the unsafe JavaScript characters.

Result:  Cross-Scripting attacks were no longer possible on the customer’s website. It significantly improved the Visualforce page performance, and also saved their IT security staff’s time.

URL attacks

In a URL attack, an attacker manually adjusts the parameters by changing the semantic meaning of the URL without altering its syntax. This attack not only compromises the security of a company website but also causes serious financial loss.

Use Case

Challenge: One of our customers, a renowned fitness product manufacturer, was dealing with URL attacks. They were using a product replacement process and a tool to replace products that their customers would complain about. A service engineer would email a replacement form link to the customer who had logged a case for replacing a defective product. The customer would click on the link, fill out the form, and confirm the shipping address to receive the new product at.

Soon, the company started getting hits on replacement links as the URLs had a standard case ID which could easily be manipulated. Any customer who had received a replacement link could easily play with case ID numbers to access other replacement forms, and could then change details. Due to these attacks, products were delivered to wrong addresses, which not only caused loss of thousands of dollars to the company but also harmed its reputation.

Solution: Instead of the standard case ID, our Salesforce developers placed a custom token in the replacement link, which had a random string of 24 characters to prevent manipulation of the URL.

Result: The URL attack cases significantly dropped. Leveraging custom token and IP addresses, service engineers could easily detect the fraudster and take necessary action.

Machine Hits

In a machine hit, an attacker uses JavaScript to hit and manipulate any URL. It is largely used when a URL contains any type of code/token/ID. Using JavaScript, attacker hits the URL for 100k- 200k in one go to find out matching code/token/ID and compromises the company’s business.

Use Case

Challenge: A customer’s website was getting hits more than the normal limit (5-8k) every day. It was affecting the overall business process, product delivery, and most importantly, customer relationships.

Solution: We placed a captcha filter in the URL to prevent machine hits. As a machine cannot read the captcha,  it could not proceed with the URL manipulation attack.

Result: Machine hit counts dropped significantly. It is relatively simple for humans to read the obscured and distorted words in a graphic, but so far no one has been able to program an automated system to do the same thing.

The Bottom Line

Frauds cost a lot of money, customers, and business to an organization. It is advisable to employ and follow advanced fraud detection and prevention measures to ensure the safety of your customers, resources, and revenue while performing your regular business operations online.

Need Help with Fraud Detection & Prevention? Contact Us.