SecurityMetrics has shared this informational article with HFTP members and stakeholders after discovering a major increase in skimming tactics, especially e-skimming. This blog post is intended to spread awareness of e-skimming, as it targets businesses with online payment options and is virtually undetectable by typical security tools, such as antivirus software.
According to an article released by the U.S. Federal Bureau of Investigation (FBI), "e-skimming occurs when an attacker injects malicious code onto a website to capture credit or debit card data or personally identifiable information (PII)" (CISA, 2019).
Skimming has always been a threat for retailers. Prior to the EMV chip on credit cards, approximately 80 percent of our forensic investigations were performed in card-present environments such as hotels, restaurants and hardware stores. The implementation of the EMV chip solved many of the issues around physical skimming but did nothing to resolve ecommerce skimming....
After the implementation of the EMV chip, the number of our forensic investigations on point-of-sale (POS) or card-present skimming dropped to about 22 percent. This type of skimming is no longer as widespread because the profit motive for skimming cards from POS devices was greatly hindered by the change. However, this motivated hackers to turn their attention to ecommerce skimming. Now, 85 percent of our investigations are e-commerce attacks, with "Magecart" and other "formjacking" heists being the most popular.
Formjacking attacks first appeared on our radar in 2017. In one of our early cases, a merchant was bleeding card data despite having strong security policies and procedures in place. SecurityMetrics forensics ran antivirus scans, checked for malware, ensured their input fields were sanitized, and analyzed their code almost line by line, but we could not find anything suspicious in the merchant’s servers or databases.
Eventually, during a simulated purchase through the checkout process, we found a piece of malicious code attached to a compromised third party. This code was only triggered when a customer filled in the CVV field, and no evidence of the malware was present on the web server. It only existed in the browser, and only at the moment of credit card entry. This breach occurred when a company was compliant with industry standards–—they had layered security and there were not any issues with their code. In this case, a third party they utilized (i.e., an analysis company that tracked data about shopping carts) had been compromised.
Card-present transactions have a lengthy history of best security practices. If a merchant wanted to introduce third party code into a POS card data environment, they often had to go through a series of internal and external validation before any additional code or processes were allowed. With ecommerce, it is a different story. There is a lot more going on in the shopping cart process.
Third parties can run data analytics on the shopping cart, and threat actors can hack into these third parties to steal data from your shopping cart. Or they can use "malvertising," which are advertisements in the margins of a payment or shopping cart page. Third parties that are connected to checkout pages have given attackers many opportunities to infect your environment and steal your customers’ data. In many instances, we see hundreds of external code elements in the checkout process when customer card data is present.
E-commerce skimming (or e-skimming) is especially malicious because it is extremely difficult to detect. It is often undetectable by normal security precautions like firewalls, file integrity monitoring (FIM) or antivirus. Since attackers use third parties to store their malicious JavaScript to skim personal data, even if your website is uncompromised, you may be using someone else’s code from another website, or even a trusted entity, that is compromised.
Credit card skimming has gone through several evolutions. Old-school credit card skimming involved setting up a device on cash registers or gas pumps that would capture card data. It was difficult to do because it required hooking the skimming device up to a power source or providing battery power. Now, with EMV, we are seeing a return to physical skimming devices that are as thin as a piece of tape and can harness the new EMV hardware's power, making this attack more difficult to detect.
However, the expansion of online shopping and transactions since Covid-19, e-skimming has become a preferred method of capturing credit card data. E-skimming is rapidly increasing in popularity and retail continues to remain at high risk for being hacked, which comes with an increased amount of liability.
The good news is that there is a new class of client-side or browser monitoring technologies that monitor the checkout process, even at the exact moment credit card data is entered by the customer, that can alert merchants the moment malicious code is injected into the checkout process.
One of our central objectives as a cybersecurity business is to notify organizations of security threats that may negatively impact them. We hope that this blog has helped you see threats you may be missing so that you can keep your business secure.
Aaron Willis, CISSP, CISA, QSA is a senior forensic analyst at SecurityMetrics, a company that specializes in cybersecurity for SMBs and the payment industry.