What is Customer Journey Hijacking?

December 8, 2021

Imagine it’s December—the biggest sales time of the year. Your e-commerce site is up and running, complete with a robust and diverse inventory for buyers. A few days into the shopping season, you notice an unusually high number of cart abandonments and quite a few customers leaving after viewing a couple of different web pages.

You check the web pages. They look fine—in fact, better than fine. (You spent a little extra this year improving the graphic design.)

Everyone is stumped. Nothing seems to account for the decreased customer engagement and the declining number of purchases.

You’ve been hijacked

Unbeknownst to you and your creative team, your business site has been hijacked by unauthorized ad injections promoting a discount if the customer clicks on the pop-up box that appears. When clicked, the customer is redirected to a different site. This type of client-side threat is referred to as customer journey hijacking. By taking advantage of vulnerabilities and bugs that exist in the business’s web application programming, malicious threat actors have been able to insert ads that redirect customers to alternative e-commerce sources. And because these ad injections are happening on the client-side, they’re only visible on the customer’s device, and not the business’s server.

A recent study of ‘customer journey hijacking’ found that as many as 20% of all online shopping sessions are exposed to unauthorized and invasive advertising injections. While lost revenue is clearly a negative consequence of hijacking, a business’s reputation can also be affected due to annoying pop-ups and slowed page loading times.

The problem is client-side compromises 

Client-side threats are achieved by injecting malicious scripts into the code used to annotate or format a webpage. Because client-side activity happens when a customer is surfing the e-commerce site, it is happening outside of a business’s security perimeter. Typical security technologies won’t protect the customer (or the business) from malicious activity that is occurring on dynamic web pages accessed from the customer’s own device. Essentially, your customer has downloaded malicious code—in the form of pop-up ads—from your server, which is then interpreted and rendered by the customer’s browser on the customer’s device.

The types of vulnerabilities that make ad injections and customer journey hijacking easy include:

  • Vulnerable website tools, like JavaScript.
  • Lack of attention to web application vulnerabilities.
  • Multiple, layered (but likely vulnerable) web applications designed to add website functionality.
  • Increasing number of third- and fourth-party sources creating and distributing vulnerable applications.
  • Misconfigurations and malicious code in open-source tools.

Fight customer journey hijacking with the right security solutions

Not all cybersecurity solutions are created equal. Some are designed to do very specific things, and most traditional solutions—like web application firewalls (WAFs), policy controls, and threat intelligence—while effective at protecting the server side are not going to protect against malicious attacks targeting the client side.

Implementing client-side security is vital to protect and defend your customer data and your business. To protect against the types of vulnerabilities that contribute to customer journey hijacking and other threats like formjacking, cross-site scripting (XSS), and Magecart attacks, businesses need to consider solutions that have no impact on website functionality but still offer the right type and level of security.

Feroot Security specializes in tools that help protect from client-side attacks. If you would like to ensure your website is using the latest security tools, check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers. And if you would like to see our products in action, please request a demo here: link.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.