Solved

What are the security risks of utilizing a marketing vendor that uses a reverse proxy?

Posted on 2011-09-12
7
347 Views
Last Modified: 2013-11-19
Our Marketing dept has contracted with a outside marketing company (without the IT department's knowledge) which pulls our web site url through their servers whenever someone clicks on one of their ads.  They capture page views, emails, and other information.  What is to prevent them from capturing our credit card numbers (we are an e-commerce site) as well?  And what would prevent criminal elements from using this as a means of stealing credit card information?
0
Comment
Question by:Bible_on_stage
7 Comments
 
LVL 12

Assisted Solution

by:jhoekman
jhoekman earned 62 total points
Comment Utility
I'll let someone who knows more about security than I speak to the actual technicalities, but if I were you, I would just stop serving ads on secure pages like your shopping cart when you are trying to get people to complete their purchase.  The less distractions you have during your conversion funnel, the less likely they are to get distracted, increasing the chances they will complete their purchase.  

And regarding the information they need from your site, they don't need to know anything more than page views and impressions served in order to fulfill the necessary data to the publishers they represent.  If they are collecting anything outside of that, I would be very concerned and again would not serve their information on those secure pages.

They have no reason to ask for email, etc.  They just need to know impressions and clicks so that they can measure ad performance.  

Can you tell us what ad provider you are using?
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
I think your first step should be some sort of traffic log analysis - you should see the traffic from the reverse proxy as all coming from a single or range of addresses; if that includes https traffic, then you have a significant problem and should contact whomever your ecommerce merchant account is with for advice. If it is http only, then you should move to *only* accepting customer info securely, even if that increases server load.

But it all starts with you finding out what is happening, rather than speculating how their "wrapper" works.  You will find a lot of banner add companies do clickthough tracking (after all, they are paid based on how many they get, or at least need to supply clicks-per-campaign info) and will usually use cookies and other similar mechanisms to establish unique impressions (again, for metrics) but can reasonably defend that practice based on the fact that your *own marketing department* is asking for said metrics. You can also (if you wish) use the source IP to define a unique landing page for your redirected visitors; using many more absolute (full url) links for things like user login/signup (fairly normal if you are forcing redirect to https anyhow) can get users transparently back onto a "direct" channel to you (which you can then monitor, again via the logs) unless the ad vendor is also deliberately rewriting your target urls (which is possible; certainly Novell's reverse proxy products could do that routinely) - but again, your first step (and indeed, every other step :) is log analysis.
0
 

Author Comment

by:Bible_on_stage
Comment Utility
This company describes their services as enables us to track all activity generated from your ad without ever needing to contact your webmaster.  Netcraft.com identifies their server's OS as Citrix Netscaler.  All traffic, including https. is going through their server, and our logs show the traffic then coming to our server  The url they write replaces our host name with theirs and everything beyond that is identical to our web site's paths.  Their ssl certificate is encrypting the https traffic and Fiddler shows it as being passed to our server as http on port 443.  From a technical side I don't like it but apparently Marketing does.  But what I'm trying to understand is if this is a possible security vulnerability that effects our PCI compliance.  And what would prevent a criminal enterprise from doing something similar. I haven't read anywhere of this type of technique as being identified as a security exploit, but it seems as something that would be reasonably easy to duplicate - so I feel there must be something I am missing and don't understand.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 33

Accepted Solution

by:
Dave Howe earned 63 total points
Comment Utility
Ok. If they are also wrapping your HTTPS traffic, then you have a security issue. A lot depends on how you are processing CC or other PCI information, but effectively you are subject to a known man-in-the-middle attack against your site (if you are using a payment processor that handles such details themselves, then you may not be responsible for the result (but they may well take exception to "your" traffic always coming from another host; correspondingly, if you are knowingly allowing a third party to intercept CC traffic, then you could well be liable if that CC traffic goes astray.

I would first check to see if any PCI sensitive data IS going via these marketing servers. IF they are, then go to marketing and say you need signed paperwork from both the marketing company AND your payment processor that they are ok with this setup and accept all liability arising from this happening - otherwise you will block all HTTPS at the firewall from that IP range, and leave them to sort out the fallout.  
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Normally, the only protection you have against a criminal enterprise doing this is your domain name - this is a classic Phishing / MITM attack, and is usually done from a spoofed or typo domain so that the https traffic looks legit.

On the bright side, if all the traffic is going to be going though some other provider and senior management are signing off on it, you can stop having to find the cash for a https cert from your CA - just use a self signed one, its not like this advertising company will care ;)
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Every business owner understands the significance of online customer reviews and the impact it can have on sales and revenues. With technology advancing at such a rapid pace, getting online reviews has never been easier, especially when many regions…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now