Online skimming is currently one of the biggest persistent threats affecting retailers and service providers. These attacks infect e-commerce websites with malicious code to steal payment information. One of the biggest perpetrators of online skimming attacks is Magecart, a group of bad actors that target payment websites. Magecart hackers are consistently evolving their techniques. According to research from security researcher Willem de Groot, one in five Magecart-infected stores are re-infected within days.

Source: Willem de Groot

How Do Online Skimming Attacks Work?

1. Gain Website Entry

To start stealing information, bad actors need to find a way to gain access to your website. They can do this by exploiting vulnerabilities, phishing for your website credentials or through hacking into a third-party application. The latter is more common as most websites use third-party applications for functions such as live chat or to track visitor traffic. Bad actors prefer to target third-party providers because they can compromise more websites at once. Third-party breaches are also harder to detect because they don’t compromise the merchant directly. Therefore, a merchant may not realize their website has fallen victim to online skimming until its too late.

2. Inject Skimming Code

Once the door is open and the bad actors are inside, they can start injecting malicious JavaScript code to perform online skimming. This code can be customized to target specific websites or enact specific types of behaviour and can be hidden within normal script. Common scripts include the following:

• Formjacking: Formjacking is when bad actors swap out legitimate payment forms with fake ones so that any information that is typed out in checkout is sent to another server.
• Keyloggers: Keylogging scripts are used to record keystrokes to steal information. Bad actors can use keyloggers to determine credit card numbers or passwords.

Regardless of the type of malicious script, the goal is always the same: to steal information.

3. Steal the Payment Data

Once the malicious code is injected, it will lie within the website’s code until it’s triggered by a customer submitting payment information during checkout. Any information submitted is either stored locally on the compromised website or sent remotely to a command server controlled by the bad actors.

Any data harvested by the hackers can be used in a variety of ways. Some may use stolen credit card information to commit fraud or identity theft. Others will most likely sell the data on the dark web.

How to Protect Your Website

Companies with e-commerce websites and third-party providers are at most risk to being hit with online skimming attacks. In order to protect your business, you need to have detection and prevention best practices in place.

Detection Best Practices

1. Perform a risk assessment: A risk assessment will help detect vulnerabilities by scanning your website for any security gaps.

2. Review code: Taking some time to review your website code for any malicious scripts can help detect them before they compromise your website.

3. Review security logs: SIEM can help detect and monitor your networks for suspicious activity by producing security logs that can be analyzed for review. To learn more about our SIEM, contact us today.

Prevention Best Practices

1. Data encryption: All customer payment information should be securely encrypted to prevent bad actors from reading data.

2. Always patch systems: Staying up-to-date with the security patches for your systems and software will help prevent bad actors from exploiting potential vulnerabilities.

3. Review third-party partners: When deciding to implement third-party apps, you need to do your research. Companies that work with payments need to be PCI compliant and you should monitor for their status. You should also assess the types of third party scripts you’re including in your website and determine whether they are actually necessary. Including unnecessary additional scripts make your website more vulnerable to online skimming attacks.