eCommerce Security Tips to Defend Against Web Skimming

account_circle Network Solutions Team

Key Takeaways:

  • It’s essential to understand how web skimming attacks work.
  • Reviewing the history of these attacks will help you understand how and why they happen.
  • Our eCommerce security tips tell you how to defend against threats to your online store.

 

Your eCommerce website is vulnerable to a variety of threats known collectively as web skimming. The hackers behind these threats are getting better at penetrating your site and installing their malware to steal your customers’ money and private information. And web skimming is getting more popular both with the rising frequency of attacks and with bigger data breaches recorded.

The idea behind web skimming is simple to explain: a hacker gains access to your website and inserts malware-laced code on your pages. The malware is designed to do a variety of things: first, to remain as inconspicuous as possible to avoid detection. Next, to monitor what data is being sent to the web server and “skim” or copy important information such as customer credit card numbers and high-dollar transactions. 

Typically, the malware is placed on the shopping cart page, so it can hijack the shopping cart function. These digital carts are attractive because they are the collection point for payment card data. If the hacker’s malware can access this data source, they can then resell the card information they collect to various criminals. The hackers count on the fact that most eCommerce sites use third-party shopping carts and don’t take the time to properly vet the code that is used for this functionality. The only way to detect a substitution is to compare the code line-by-line with a known clean version.

Magecart Sources and Methods

One of the more popular eCommerce providers is Magento. Hackers have designed the Magecart malware specifically to target and compromise these servers. Magecart is actually the work of a loose consortium of several hacking groups who have been active since 2016, continually making improvements to their malware. 

Verizon’s Data Breach Investigations report for 2020 maps the continued rise of Magecart. In May 2019, researchers saw various Magecart groups continue to deploy payment card scraping scripts. “They expanded their targeted platforms beyond Magento to the PrismWeb and OpenCart eCommerce platforms,” says the report. One of the groups is state-sponsored by the North Korean government, which has been using skimming as a way to generate hard currency for its operations for more than a decade.

Earlier this summer, eCommerce sites of accessories store Claire’s and sporting goods retailer Intersport were attacked with new versions of Magecart that recorded payments of transactions. The malware was present since April, but only recently discovered. Another series of Magecart attacks also began in April and was discovered in June that hit Click2Gov, a third-party supplier for eight local government eCommerce websites. These sites contained web-based payment forms for various government services, such as parking tickets and taxes. This is the same supplier that had two other major breaches in 2018 and 2019 that affected dozens of other city’s websites. Magecart-based attacks have also compromised Ticketmaster’s UK operations (January 2018), the Atlanta Hawks fan merchandise online store (April 2019) and hundreds of college campus bookstores (April 2019). 

Typically, hackers substitute a piece of Javascript code either by replacing the original Magento source code or by redirecting the cart function to a website that hosts the malware. This latter redirect function has been seen by researchers where hackers make use of unused GitHub projects. The criminals try to take ownership of the project and then publish a “new” version of the code that contains the malware. This has the direct benefit to the hacker of quickly getting malware in active use across thousands of websites. Security tools might not scan code from GitHub, so criminals can hide in plain sight and get away with the compromised project. Another storage site employed in this way is misconfigured Amazon S3 storage buckets that have been left open to public access by mistake.

Researchers have identified nearly 40 different Magecart exploits. Some of the newer ones have gotten quite subtle, using ad servers and infecting advertising banners, for example, so that ad servers will place Magecart code on a webserver.  In the case of a compromise to the British Airways website in August 2018, the hackers duplicated a phony airline payments webpage that looked almost identical to the real one and compromised a script in the baggage claim routine. This script wasn’t discovered for several months.

Ways to Prevent Web Skimming Attacks

There are several ways to prevent web skimming attacks, including using some free and low-cost tools to help you track down the skimmers. 

  1. Identify all of your third-party eCommerce providers, including ad vendors. You might want to think about requiring self-assessments of their code and internal audits, and also consider implementing subresource integrity so that modified scripts are not loaded without your permission. Host as many third-party scripts on your own servers as you can. 
  2. Keep up with patches to your webserver code, including WordPress and Magento. A vulnerability in Magento was discovered and then patched in March 2019, which became the target of mass scanning and SQL injection attacks aimed at those organizations that hadn’t yet applied the patch.
  3. Vet your shopping cart pages and ad server code to ensure that they are intact and have not been diverted. Do the same with other third-party tech suppliers of your eCommerce site. There are a number of free website scanning tools available that can help spot suspicious connections in the malware-laced scripts. Researchers from Trustwave SpiderLabs published a guide with detailed information on how such investigations can be performed as well as a list of useful tools specifically designed for detecting and fixing Magecart infections.
  4. Check to ensure that your cyber insurance covers any losses as a result of eCommerce scripting compromises. 
  5. Enable logging on GitHub and AWS S3 and other places that your dev team uses to store their code in the cloud. Then check these logs periodically for timestamps on various files to see what has changed recently and to make sure no unauthorized access is happening. Turn on multi-factor authentication for all the developers who interact with these accounts and enforce this rigorously. Here are ways to enable AWS S3 logging in CloudTrail and use AWS Lamdba for response logging.
  6. Finally, read up on the latest research from RiskIQ and Trustwave. The Trustwave link in item #3 has some research links at the end of that article that dive into Magecart’s operations. 

Start Following Our eCommerce Security Tips Today

Realize that protecting your eCommerce sites is a journey, and will require periodic vigilance and care. Armed with these tips, you’ll be well on your way to protecting your online store.

 

Image Credit: Shutterstock