How to have a safe and secured Online Shopping experience

E-Skimming: Online skimming hammers restaurant payment platforms as the attacker base widens

The Internet touches almost all aspects of our daily lives. We are able to shop, bank, connect with family and friends, and handle our medical records all online. These activities require you to provide personally identifiable information (PII) such as your name, date of birth, account numbers, passwords, and location information.

Skimming was once dominated by a few highly trained gangs that methodically selected and attacked their targets, modifying JavaScript on websites to steal customers’ credit card information, frequently for sale on the black market. Presently, it’s a lot more diverse group filled with cyber criminals that prey on cheap, widely accessible, and simple-to-use skimmers.

WHAT IS IT?

Cybercriminals introduce skimming codes on e-commerce payment card processing web pages to capture credit card and personally identifiable information and send the stolen data to a domain under their control.

HOW DOES IT WORK?

Skimming code is introduced to payment card processing websites by:

• Exploiting a vulnerability in the website’s e-commerce platform
• Gaining access to the victim’s network through a phishing email or brute force of administrative credentials
• Compromising third-party entities and supply chains by hiding skimming code in the JavaScript loaded by the third-party service onto the victim’s website
• Cross-site scripting redirects customers to a malicious domain where malicious JavaScript code captures their information from the checkout page.

The malicious code captures credit card data as the end user enters it in real-time. The information is then sent to an Internet-connected server using a domain name controlled by the actor. Subsequently, the collected credit card information is either sold or used to make fraudulent purchases.

WHO IS BEING TARGETED?

Who is the target of e-skimming?

Businesses—Any organization that maintains a website that collects payment information and other types of sensitive user data are at risk of an e-skimming attack. Industries targeted include retail, entertainment, travel, utility companies, and third-party vendors (such as those working in online advertising or web analytics). Cybercriminals may also target user and administrative credentials in addition to financial or credit card information.

Consumers—Consumer PII, credit card, and financial data is the primary target of e-skimming. Every year millions of individuals become victims of e-skimming attacks. 

Cybercriminals are evolving their tactics and have also been seen using malicious code that targets user and administrative credentials in addition to customer payment information.

Use case example: Magecart

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. Magecart also refers to the JavaScript code those groups inject.

Magecart operates by operatives gaining direct or indirect access to websites and injecting malicious JavaScript that steals data entered into online payment forms, typically on checkout webpage.

Magecart operatives either directly or indirectly breach sites. Third-party code suppliers are the targets of supply chain attacks. Suppliers can include companies that integrate with websites to add or improve functionality, as well as cloud resources from which websites pull code, such as Amazon S3 Buckets. Because these third-party vendors integrate with thousands of websites, when one supplier is compromised, Magecart has effectively breached thousands of sites at once.

WHAT ARE THE WARNING SIGNS?

• Complaints of fraudulent activity on several customers’ accounts after making a purchase from the victim company.
• Identifying a new domain not known to be registered by the victim company.
• JavaScript code has been edited.

 WHAT IS THE IMPACT OF AN E-SKIMMING ATTACK?  

Loss of Sensitive Customer Information: E-skimming attacks can involve the theft of multiple types of customer information, including credit card data and PII. 

Profit loss: Previous e-skimming attacks have demonstrated that business profits will be impacted negatively due to reputation damage and loss of customer trust.

Regulatory and Compliance Issues: Government and industry regulations, such as the Payment Card Industry Data Security Standards (PCI DSS) and the General Data Protection Regulations (GDPR) can subject businesses to lawsuits and fines should business customers be affected by an e-skimming attack.

 HOW CAN YOU MINIMIZE RISK?

In an attempt to make attribution, it is determined that the malicious skimmer code has varied in complexity, which limits the ability to identify a specific set of indicators of compromise.

Vulnerable companies should secure websites to prevent malicious code injection. In addition, companies should implement proper network segmentation and segregation to limit network exposure and minimize the lateral movement of cyber criminals.

1. Perform regular updates to payment software.
2. Use automated monitoring & inspections.
3. Deploy and maintain content security policies.
4. Install patches from payment platform vendors.
5. Implement code integrity checks.
6. Keep anti-virus software updated.
7. Ensure you are PCI DSS compliant.
8. Monitor and analyze web logs.
9. Refer to your Incident Response Plan, if applicable.

In my point of aspect, “Any business must apply data-centric protection to any sensitive data within their ecosystem, including PII, financial, and transactional data, as soon as it enters the environment and keep it protected even as employees work with that data.”

Payment platforms can protect sensitive information while preserving the original data format by tokenizing any PII or transactional data, “making it easier for business applications to support tokenized data within their workflows.” “They should also review their enterprise backup and recovery strategies to ensure that they can recover quickly if hackers gain access to their environment and encrypt their enterprise data.”

Thanks for reading.

Published by: P. Sai Ram
Cyber Security Researcher
Tsarolabs