The US Federal Bureau of Investigation has warned consumers that e-skimming attacks, where online shopper credit card details are stolen, are on the rise.
Skimming devices have been a threat, predominantly to ATMs and point of sale (POS) terminals, for some years. The FBI says it has been monitoring e-skimming for seven years, as per CNBC. But, says Herb Stapleton, section chief for the FBI’s cyber division, e-skimming crimes are growing because cybercriminals are sharing their malware online as well as becoming more sophisticated. Stapleton explains attackers are evasive saying, “If we put up a wall, they’re building a ladder or a tunnel or a way to go around it.” The section chief, talking to CNBC, didn’t quantify the growth saying:
“It’s hard to put really — definite numbers around it. But one thing we know for sure is that millions of credit card numbers have been stolen, even over the course of the past two years.”
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
E-skimming, also known commonly known as Magecart attacks, involve a number of techniques. Cybercriminals can infect websites and POS devices with malware that steals personal and credit card information. They can also breach web servers or servers that support e-commerce websites. When a site has been compromised there is no visible difference for shoppers who continue with their purchases. Stapleton says:
“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer.”
CNBC cites big brand victims of e-skimming attacks as Macy’s, Puma’s Australian e-commerce site, Ticketmaster, and British Airways. We covered the resulting Macy’s data breach a few weeks ago. The retailer believes an attack used malicious code added to Macy’s checkout and “MyWallet” pages on their e-commerce website to gain access to shoppers’ personal information. During the same week Catch Restaurants in New York suffered a similar breach due to malware on their POS payment systems. Our weekly data breach roundups are full to the brim of similar incidents.
Randy Pargman, senior director for threat hunting and counterintelligence at Binary Defense in Ohio, US told CNBC it has many clients in the retail sector and that:
“Any retailer that has a significant online presence that accepts online orders is definitely concerned about e-skimming.”
How consumers can protect themselves whilst shopping online
CNBC says customers can do a number of things to protect themselves when shopping on the internet including:
Shopping with credit cards
Credit cards can sometimes give a little more protection and less inconvenience if a card is compromised. Credit cards may have lower liability for fraud, and it may take less time to get a fraudulent transaction resolved.
Consider virtual credit cards
Some banks and credit card issuers offer a virtual credit card facility. Virtual cards have a randomly generated card number that is linked to your actual card. They can be used for online transactions, charge your usual credit card account, and can have their own transaction and even expiry limits. Using a virtual card means that e-commerce websites aren’t given real card details, offering a little more protection if they are breached or a less credible site.
Regularly check bank and card transactions
Consumers should always regularly check their credit and debit card transactions and immediately notify a bank or card issuer of any unusual transactions. Though it can be a pain, considering the volume of card theft and misuse it’s a must for any online shopper.
A prudent warning for any business that takes payments online
In the Oregon FBI’s Tech Tuesday segment back in October the organisation warned “small and medium-sized businesses and government agencies that take credit card payments online,” that:
“E-skimming occurs when cyber criminals inject malicious code onto a website. The bad actor may have gained access via a phishing attack targeting your employees—or through a vulnerable third-party vendor attached to your company’s server.”
Once malware or malicious code is present on a website it can be used to transmit consumer credit card details to cybercriminals instantly. The information gained can be used by the hackers or sold on the dark web to other cybercriminals and bad actors. The FBI says businesses and organizations should:
- “Update and patch all systems with the latest security software. Anti-virus and anti-malware need to be up-to-date and firewalls strong.
- Change default login credentials on all systems.
- Educate employees about safe cyber practices. Most importantly, do not click on links or unexpected attachments in messages.
- Segregate and segment network systems to limit how easily cyber criminals can move from one to another.”
Bleeping Computer reported on a RiskIQ study, in October 2019, that found since the first discovery of a Magecart threat in August, 2010, there could have been over two million Magecart attacks. In a single automated attack by cybercriminals more than 960 stores were breached, at the same time.
RiskIQ warns that attackers often target Magento and OpenCart website software users, looking for vulnerabilities in these platform builds and retreating when patches and updates are issued. It warns that attackers use malicious adverts, and that 17% of these could distribute the Magecart threat. And, malicious code survives undetected on an e-commerce website for an average of 22 days.
Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.
Subscribe to the Proofpoint Blog