Your eCommerce website is vulnerable to a variety of threats known collectively as web skimming. The hackers behind these threats are getting better at penetrating your site and installing their malware to steal your customers’ money and private information. And web skimming is getting more popular both with the rising frequency of attacks and with bigger data breaches recorded.
The idea behind web skimming is simple to explain: a hacker gains access to your website and inserts malware-laced code on your pages. The malware is designed to do a variety of things: first, to remain as inconspicuous as possible to avoid detection. Next, to monitor what data is being sent to the web server and “skim” or copy important information such as customer credit card numbers and high-dollar transactions.
Typically, the malware is placed on the shopping cart page, so it can hijack the shopping cart function. These digital carts are attractive because they are the collection point for payment card data. If the hacker’s malware can access this data source, they can then resell the card information they collect to various criminals. The hackers count on the fact that most eCommerce sites use third-party shopping carts and don’t take the time to properly vet the code that is used for this functionality. The only way to detect a substitution is to compare the code line-by-line with a known clean version.
One of the more popular eCommerce providers is Magento. Hackers have designed the Magecart malware specifically to target and compromise these servers. Magecart is actually the work of a loose consortium of several hacking groups who have been active since 2016, continually making improvements to their malware.
Verizon’s Data Breach Investigations report for 2020 maps the continued rise of Magecart. In May 2019, researchers saw various Magecart groups continue to deploy payment card scraping scripts. “They expanded their targeted platforms beyond Magento to the PrismWeb and OpenCart eCommerce platforms,” says the report. One of the groups is state-sponsored by the North Korean government, which has been using skimming as a way to generate hard currency for its operations for more than a decade.
Earlier this summer, eCommerce sites of accessories store Claire’s and sporting goods retailer Intersport were attacked with new versions of Magecart that recorded payments of transactions. The malware was present since April, but only recently discovered. Another series of Magecart attacks also began in April and was discovered in June that hit Click2Gov, a third-party supplier for eight local government eCommerce websites. These sites contained web-based payment forms for various government services, such as parking tickets and taxes. This is the same supplier that had two other major breaches in 2018 and 2019 that affected dozens of other city’s websites. Magecart-based attacks have also compromised Ticketmaster’s UK operations (January 2018), the Atlanta Hawks fan merchandise online store (April 2019) and hundreds of college campus bookstores (April 2019).
Typically, hackers substitute a piece of Javascript code either by replacing the original Magento source code or by redirecting the cart function to a website that hosts the malware. This latter redirect function has been seen by researchers where hackers make use of unused GitHub projects. The criminals try to take ownership of the project and then publish a “new” version of the code that contains the malware. This has the direct benefit to the hacker of quickly getting malware in active use across thousands of websites. Security tools might not scan code from GitHub, so criminals can hide in plain sight and get away with the compromised project. Another storage site employed in this way is misconfigured Amazon S3 storage buckets that have been left open to public access by mistake.
Researchers have identified nearly 40 different Magecart exploits. Some of the newer ones have gotten quite subtle, using ad servers and infecting advertising banners, for example, so that ad servers will place Magecart code on a webserver. In the case of a compromise to the British Airways website in August 2018, the hackers duplicated a phony airline payments webpage that looked almost identical to the real one and compromised a script in the baggage claim routine. This script wasn’t discovered for several months.
There are several ways to prevent web skimming attacks, including using some free and low-cost tools to help you track down the skimmers.
Start Following Our eCommerce Security Tips Today
Realize that protecting your eCommerce sites is a journey, and will require periodic vigilance and care. Armed with these tips, you’ll be well on your way to protecting your online store.
Image Credit: Shutterstock