Over the past decade or so, domestic websites have seen significant changes in their operating environment as well as in the tools and purposes used by users. The use of cloud environments, such as the use of third-party software modules, is increasing in the operating environment of websites.
In addition, users' platforms have shifted from PC browsers to mobile browsers and mobile applications, and online shopping is becoming more active. Especially recently, the use of online shopping has increased rapidly to prevent the spread of the new coronavirus infection.
However, in today's increasingly complex web environment, attack methods targeting websites are also evolving, shifting from simple tampering and DDoS attacks to sophisticated unauthorized logins, fraudulent remittances, and attacks used for phishing. I'm coming.
Therefore, it is becoming difficult to protect with conventional measures.
This document introduces attack methods and campaigns targeting websites that have been observed recently, and explains them with actual examples.
table of contents
1.First of all
2. Unauthorized login by bot
2.1 Lifecycle of attackers who abuse bots
2.2 Actual situation of unauthorized login in Japan
2.3 Bot Attack Detection and Mitigation
3. Dependence on external resources such as third parties and new threats
3.1 Dependencies on External Resources and Lifecycle Issues
3.2 Formjacking (skimming)
3.3 Supply Chain Attack
3.4 Magecart domestic company observation example
3.5 Summary and Mitigation
4. Recent Phishing Trends and Evasion of Detection
4.1 Trends in countermeasures against phishing
4.2 Attack Techniques and Trends
4.3 Detection avoidance and crawler bypass
4.4 Countermeasures against Recent Phishing Attacks
Report "FY2019 Attack Trends and Solutions Targeting Domestic Corporate Websites"