What are the security risks of utilizing a marketing vendor that uses a reverse proxy?

Posted on 2011-09-12
Last Modified: 2013-11-19
Our Marketing dept has contracted with a outside marketing company (without the IT department's knowledge) which pulls our web site url through their servers whenever someone clicks on one of their ads.  They capture page views, emails, and other information.  What is to prevent them from capturing our credit card numbers (we are an e-commerce site) as well?  And what would prevent criminal elements from using this as a means of stealing credit card information?
Question by:Bible_on_stage
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Assisted Solution

jhoekman earned 62 total points
ID: 36526041
I'll let someone who knows more about security than I speak to the actual technicalities, but if I were you, I would just stop serving ads on secure pages like your shopping cart when you are trying to get people to complete their purchase.  The less distractions you have during your conversion funnel, the less likely they are to get distracted, increasing the chances they will complete their purchase.  

And regarding the information they need from your site, they don't need to know anything more than page views and impressions served in order to fulfill the necessary data to the publishers they represent.  If they are collecting anything outside of that, I would be very concerned and again would not serve their information on those secure pages.

They have no reason to ask for email, etc.  They just need to know impressions and clicks so that they can measure ad performance.  

Can you tell us what ad provider you are using?
LVL 33

Expert Comment

by:Dave Howe
ID: 36528478
I think your first step should be some sort of traffic log analysis - you should see the traffic from the reverse proxy as all coming from a single or range of addresses; if that includes https traffic, then you have a significant problem and should contact whomever your ecommerce merchant account is with for advice. If it is http only, then you should move to *only* accepting customer info securely, even if that increases server load.

But it all starts with you finding out what is happening, rather than speculating how their "wrapper" works.  You will find a lot of banner add companies do clickthough tracking (after all, they are paid based on how many they get, or at least need to supply clicks-per-campaign info) and will usually use cookies and other similar mechanisms to establish unique impressions (again, for metrics) but can reasonably defend that practice based on the fact that your *own marketing department* is asking for said metrics. You can also (if you wish) use the source IP to define a unique landing page for your redirected visitors; using many more absolute (full url) links for things like user login/signup (fairly normal if you are forcing redirect to https anyhow) can get users transparently back onto a "direct" channel to you (which you can then monitor, again via the logs) unless the ad vendor is also deliberately rewriting your target urls (which is possible; certainly Novell's reverse proxy products could do that routinely) - but again, your first step (and indeed, every other step :) is log analysis.

Author Comment

ID: 36529271
This company describes their services as enables us to track all activity generated from your ad without ever needing to contact your webmaster. identifies their server's OS as Citrix Netscaler.  All traffic, including https. is going through their server, and our logs show the traffic then coming to our server  The url they write replaces our host name with theirs and everything beyond that is identical to our web site's paths.  Their ssl certificate is encrypting the https traffic and Fiddler shows it as being passed to our server as http on port 443.  From a technical side I don't like it but apparently Marketing does.  But what I'm trying to understand is if this is a possible security vulnerability that effects our PCI compliance.  And what would prevent a criminal enterprise from doing something similar. I haven't read anywhere of this type of technique as being identified as a security exploit, but it seems as something that would be reasonably easy to duplicate - so I feel there must be something I am missing and don't understand.
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

LVL 33

Accepted Solution

Dave Howe earned 63 total points
ID: 36529952
Ok. If they are also wrapping your HTTPS traffic, then you have a security issue. A lot depends on how you are processing CC or other PCI information, but effectively you are subject to a known man-in-the-middle attack against your site (if you are using a payment processor that handles such details themselves, then you may not be responsible for the result (but they may well take exception to "your" traffic always coming from another host; correspondingly, if you are knowingly allowing a third party to intercept CC traffic, then you could well be liable if that CC traffic goes astray.

I would first check to see if any PCI sensitive data IS going via these marketing servers. IF they are, then go to marketing and say you need signed paperwork from both the marketing company AND your payment processor that they are ok with this setup and accept all liability arising from this happening - otherwise you will block all HTTPS at the firewall from that IP range, and leave them to sort out the fallout.  
LVL 33

Expert Comment

by:Dave Howe
ID: 36529972
Normally, the only protection you have against a criminal enterprise doing this is your domain name - this is a classic Phishing / MITM attack, and is usually done from a spoofed or typo domain so that the https traffic looks legit.

On the bright side, if all the traffic is going to be going though some other provider and senior management are signing off on it, you can stop having to find the cash for a https cert from your CA - just use a self signed one, its not like this advertising company will care ;)
LVL 27

Expert Comment

ID: 37163633
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Starting your own business is always a daunting process, and for most people it is brand new experience. Avoid the common pitfalls by following these tips to start on the road to success.
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question