How Web Skimming Attacks Threaten The Retail Sector

Introduction

Thousands of retailers have had their security breached in web skimming attacks, unknowingly allowing attackers to take their customers’ credit card information.

Ecommerce websites are vulnerable to web skimming, which has become a worrying trend. Hackers are getting better and more sophisticated at penetrating retail sites and installing their malware to steal customers’ money and private information.

What is web skimming?

A web skimming attack is essentially the online version of physical card skimming. Cybercriminals mainly targeting online shoppers, stealing credit card or payment information details from a website’s visitors during checkout.

Cyber criminals install malicious JavaScript code onto browser-based payment sites, before hijacking the route of the payment sites or forms and present their own payment page to unsuspecting consumers. After they collect the consumer’s financial data, they route the user, along with their information, to their own servers.

Shopping carts are an attractive target because they collect customer payment information: if malware can tap into this data stream, cybercriminals have a ready-made card collection tool.

How does web skimming work?

Attackers typically take advantage of vulnerabilities in ecommerce platforms and Content Management Systems to gain access to pages they want to infiltrate with the skimming script.

Web skimming typically targets platforms like Magento, PrestaShop and WordPress, which are popular choices for online shops because of their ease of use and portability with third-party plugins.

Online web skimming attacks work in a three-stage process:

Stage 1 – Gain (undetected) access to user information

Online web skimming attacks start by planting a skimming code, usually a piece of JavaScript. The code is short and looks innocent, often mimicking legitimate processes and operations that developers use to create ecommerce websites. Cyber criminals are becoming increasingly clever at hiding their technical, back-end tactics by mimicking legitimate code, so they often go undetected until it’s too late.

They generally gain access to website information in two ways:

Direct hacking – hackers place the skimming code directly on the website, often in a brute-force attack, which automates login credentials until it finds the correct combination to access a company account with administrator permissions. A second method is to exploit known software vulnerabilities, known as ‘zero-day vulnerabilities’.

Supply chain attacks – hackers infect a single vendor that offers services used by a large number of ecommerce stores. For example, in 2019, French online advertising platform, Adverline, inadvertently injected the Magecart skimming code to hundreds of client vendors.

Stage 2 – Collect sensitive data from consumers

Once criminals gain access, they steal personal data from site users. The two most common tactics are fake forms and keylogging because they give direct access to verified, accurate data.

Fake forms – hackers take over the forms that consumers use to make a payment, also known as ‘formjacking’. When they send the form to the retail merchant, the data is also transferred to the hacker’s servers.

Keylogging – hackers record the keyboard strokes made by the consumer, when they fill out a payment form, the hacker can see which keys they pressed to enter their login credentials. This way, even if the merchant successfully encrypts data, the hacker can still gain access to passwords and credit card numbers.

Stage 3 – Store the stolen data

Once this stage is reached, the stolen information is commonly sent to a proxied domain. This is another way fraudsters hide their tracks and keep their online web skimming attacks hidden from retailers because the domain often mimics the legitimate site.

Magecart

First observed in 2010, Magecart is a rapidly growing cybercrime syndicate with dozens of subgroups, which has gained media coverage over the years for affecting thousands of websites. It is well-known in security circles and has become a global cyber-pandemic.

Magecart attacks are unlike anything that online retailers have faced before. They can inject malicious code into a website without ever touching the website’s server. Magecart also refers to the JavaScript code those groups inject.

In the last few years, Magecart has been blamed for payment card skimming attacks in large organisations such as Ticketmaster, British Airways, Tupperware and NutriBullet, to name a few.

British Airways breach

In 2018, payment card skimming software built on the British Airways web site affected over 380,000 credit cards and lasted over three weeks. Payments via the website and the smartphone app of the airline were stolen, which cost BA more than $1billion in mitigation efforts, GDPR violation fines and other payoffs.

This unique skimmer was strongly tuned to how the payment page of British Airway is set up, which informs us that the attackers have been deliberately contemplating how to approach this website, rather than automatically dumping the usual Magecart skimmer.

Ticketmaster hack

Web skimming attacked Ticketmaster in 2018, capturing more than 40,000 customers’ data. The main reason for the breach was caused by a third-party vendor who updated a line of JavaScript code specifically for Ticketmaster’s requirements. This line of code was used on a payments page for Ticketmaster, which is what allowed hackers to collect payment and user data.

How to prevent web skimming attacks

Many organisations have almost no visibility into their web-facing assets and the way their users interact with them. Consequently, browser-based cyber threats have become the go-to method for cyber criminals to target organisations, their employees and customers.

The greatest technique for preventing web skimmers from breaking into your site is to routinely patch operating systems and software with the most recent security upgrades, as well as access management, external penetration monitoring and regular vendor evaluation.

It is critical to build and maintain some type of malware protection, as well as security fixes for every piece of software you use.

To further tighten security, access should be restricted to only what is absolutely necessary, with all other website access blocked by default. Robust, multi-factor authentication is also required for access to the website’s system components, not just simple, easy-to-guess passwords.

The following best practices can help you to strengthen your security and prevent web skimming attacks:

• Identify all your third-party ecommerce and online advertising vendors
• Monitor all third-party scripts on your site
• Monitor code changes on websites
• Implement client-side web skimming solutions
• Use patch management effectively scan for web vulnerabilities
• Implement multi-factor authentication.
• Configure a firewall correctly
• Deploy a bot management solution to prevent browser-based bot attacks

Conclusion

With a solid understanding of how web skimming happens and how it can be avoided, ecommerce businesses are better positioned to keep one step ahead of Magecart and other web skimming threats, providing customers with the security assurance they expect.

Securus’ customers already using our IaaS (Infrastructure as a Service) portfolio are secure in the knowledge that our automated patching and alerting systems prevent malicious code being embedded, but not all platforms are equally protected.

If you’d like to know more about how Securus can assist you, click here to contact one of our security experts.