[Last Call] Learn how to a build a cloud-first strategyRegister Now


What are the security risks of utilizing a marketing vendor that uses a reverse proxy?

Posted on 2011-09-12
Medium Priority
Last Modified: 2013-11-19
Our Marketing dept has contracted with a outside marketing company (without the IT department's knowledge) which pulls our web site url through their servers whenever someone clicks on one of their ads.  They capture page views, emails, and other information.  What is to prevent them from capturing our credit card numbers (we are an e-commerce site) as well?  And what would prevent criminal elements from using this as a means of stealing credit card information?
Question by:Bible_on_stage
LVL 12

Assisted Solution

jhoekman earned 248 total points
ID: 36526041
I'll let someone who knows more about security than I speak to the actual technicalities, but if I were you, I would just stop serving ads on secure pages like your shopping cart when you are trying to get people to complete their purchase.  The less distractions you have during your conversion funnel, the less likely they are to get distracted, increasing the chances they will complete their purchase.  

And regarding the information they need from your site, they don't need to know anything more than page views and impressions served in order to fulfill the necessary data to the publishers they represent.  If they are collecting anything outside of that, I would be very concerned and again would not serve their information on those secure pages.

They have no reason to ask for email, etc.  They just need to know impressions and clicks so that they can measure ad performance.  

Can you tell us what ad provider you are using?
LVL 33

Expert Comment

by:Dave Howe
ID: 36528478
I think your first step should be some sort of traffic log analysis - you should see the traffic from the reverse proxy as all coming from a single or range of addresses; if that includes https traffic, then you have a significant problem and should contact whomever your ecommerce merchant account is with for advice. If it is http only, then you should move to *only* accepting customer info securely, even if that increases server load.

But it all starts with you finding out what is happening, rather than speculating how their "wrapper" works.  You will find a lot of banner add companies do clickthough tracking (after all, they are paid based on how many they get, or at least need to supply clicks-per-campaign info) and will usually use cookies and other similar mechanisms to establish unique impressions (again, for metrics) but can reasonably defend that practice based on the fact that your *own marketing department* is asking for said metrics. You can also (if you wish) use the source IP to define a unique landing page for your redirected visitors; using many more absolute (full url) links for things like user login/signup (fairly normal if you are forcing redirect to https anyhow) can get users transparently back onto a "direct" channel to you (which you can then monitor, again via the logs) unless the ad vendor is also deliberately rewriting your target urls (which is possible; certainly Novell's reverse proxy products could do that routinely) - but again, your first step (and indeed, every other step :) is log analysis.

Author Comment

ID: 36529271
This company describes their services as enables us to track all activity generated from your ad without ever needing to contact your webmaster.  Netcraft.com identifies their server's OS as Citrix Netscaler.  All traffic, including https. is going through their server, and our logs show the traffic then coming to our server  The url they write replaces our host name with theirs and everything beyond that is identical to our web site's paths.  Their ssl certificate is encrypting the https traffic and Fiddler shows it as being passed to our server as http on port 443.  From a technical side I don't like it but apparently Marketing does.  But what I'm trying to understand is if this is a possible security vulnerability that effects our PCI compliance.  And what would prevent a criminal enterprise from doing something similar. I haven't read anywhere of this type of technique as being identified as a security exploit, but it seems as something that would be reasonably easy to duplicate - so I feel there must be something I am missing and don't understand.
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 33

Accepted Solution

Dave Howe earned 252 total points
ID: 36529952
Ok. If they are also wrapping your HTTPS traffic, then you have a security issue. A lot depends on how you are processing CC or other PCI information, but effectively you are subject to a known man-in-the-middle attack against your site (if you are using a payment processor that handles such details themselves, then you may not be responsible for the result (but they may well take exception to "your" traffic always coming from another host; correspondingly, if you are knowingly allowing a third party to intercept CC traffic, then you could well be liable if that CC traffic goes astray.

I would first check to see if any PCI sensitive data IS going via these marketing servers. IF they are, then go to marketing and say you need signed paperwork from both the marketing company AND your payment processor that they are ok with this setup and accept all liability arising from this happening - otherwise you will block all HTTPS at the firewall from that IP range, and leave them to sort out the fallout.  
LVL 33

Expert Comment

by:Dave Howe
ID: 36529972
Normally, the only protection you have against a criminal enterprise doing this is your domain name - this is a classic Phishing / MITM attack, and is usually done from a spoofed or typo domain so that the https traffic looks legit.

On the bright side, if all the traffic is going to be going though some other provider and senior management are signing off on it, you can stop having to find the cash for a https cert from your CA - just use a self signed one, its not like this advertising company will care ;)
LVL 27

Expert Comment

ID: 37163633
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question