A RiskIQ researcher says targeting third-party web apps is the "supply chain attack for the web."