Introduction
Many of us have heard of or even fallen victim to credit card fraud. There are numerous ways that this can happen, but the most common way appears to be when a fraudulent reader is used to replace a legitimate one. For example, when you go get gas at your local station, you merely insert and quickly remove your credit card. The charge is authorized, and you can begin pumping. But if a person is sneaky enough, they can insert a fake reader and collect your credit card information with the use of a basic network sniffer.
But attacks have become more advanced than this, giving rise to a new kind of credit card fraud, known as e-Skimming.
What Is E-Skimming?
Suppose you visit a well-known site like Amazon to do your shopping. You add the items you’d like to purchase to your shopping cart, and in a few clicks, you check out. You assume that everything is fine because of the brand reputation of the online merchant and the fact that you were on a secure website. But, when checking your credit card account online, you notice that there are some charges that you did not make. So, how can this happen?
Well, this is an example of e-Skimming. In this case, a Cyberattacker may have probed for weaknesses and gaps on the website of an online merchant and deployed a malicious payload with the aim of capturing your credit card number and other relevant information. The unfortunate part about this is that you have no way of knowing that you have fallen victim until you check your credit card transactions when it is too late to do anything about it.
A breach exploiting a vulnerability on an e-commerce site platform is just one of the ways in which e-Skimming code can be introduced. Several other ways include cross-site scripting, where you are stealthily redirected towards a malicious domain where your PII information is captured; third-party plugins that aren’t properly screened and hide malicious code within their JavaScript which gets executed on the victim’s site when the plugin is loaded; phishing emails that manage to break into the victim’s network and deploy a payload on the victim’s site backend.
True, when you realize you’ve fallen victim to an e-Skimming attack, you can (and should) call your credit card issuer to cancel your existing card and have a new one issued. In most cases, they are one step ahead of you, and if any malicious activity is spotted, your credit card will automatically be declined as a safeguard. But this is just a temporary solution because it is quite likely the cyberattacker has already collected more information on you than just your credit card number.
They can sell this information on the dark web for a profit, or worse yet, use it to build a fake profile on you and launch subsequent identity theft attacks against you. Credit card fraud in this manner is also known as the “Magecart Attacks”.
The Mechanics of The Attack
Here we will explore the exact mechanics of how an e-Skimming attack is launched:
1) Finding the holes:
As mentioned earlier in this article, the Cyberattacker first looks for any holes in the online store of the merchant. There are many low-cost tools (even free ones) that can be used. A typical mechanism would be to conduct a vulnerability scan of the website. This gives the hacker a great level of insight into where the weaknesses reside. They’ll look for open ports not being used and if none are, they can easily access the backend of an online store. Steps to exploitation:
Once the cyberattacker probes around enough, he or she will then deploy the malicious payload that will be used to hijack your payment details and other pertinent data such as your address, phone number, email address, etc.
2) The theft:
As soon as you enter your credit card number (if you do not have it already stored), the malicious payload will begin recording. Once you have submitted your payment, this information is then transmitted back to the Cyberattacker to launch any further damage against you, if they choose to.
It is important to keep in mind that many online stores have become quite sophisticated and utilize a number of tools like coupons or special deals to entice you to shop. These can include widgets, web plugins, web extensions, and more. These are custom-made and often rely upon the use of a language called “JavaScript” to create. But this scripting language itself is not secure, compounding the problem of e-Skimming even more.
Conclusions - How to Stay Safe
Another unfortunate part of e-Skimming is that you have very little control over this process. The truth of the matter is that it mostly falls onto the shoulders of the online merchant. The root of these attacks is essentially that the source code used to create the online store is insecure in the first place. Therefore, it is up to merchants to test their applications through various means such as Penetration Testing and Threat Hunting. This will be the focal point of another article coming soon.
As a consumer, it’s important to keep a watchful eye on your credit card and bank accounts. This means checking them at least 2X a day, preferably more if you can. Also, set up alerts to your email to let you know of all transactions made on your credit card. That way, you will get more advanced notice of a phony charge being made to it.
Finally, check your credit reports from time to time. These are free to get and are available from all major bureaus.
Steps that operators of e-commerce sites can take to protect their customers:
There are a number of steps that the owner of online stores can do to make sure that their e-commerce store is as safe and secure as possible. Operators can and should:
*Come into PCI – DSS compliance. This is the de facto standard for the credit card industry, and it spells out all of the necessary controls that are required to secure credit card processing.
*Conduct Pen Testing exercises: This is really the only way in which to unearth any unknown vulnerabilities or gaps in the online store. Once this has been done, the merchant will receive a report from the organization that did the Pen Testing, specifying where the gaps are and any remediations that need to take place.
*Launch Threat Hunting exercises: These are tests designed to see if there are any threat actors that are lurking from within the server that is hosting the online store. Usually, they like to stay hidden for long periods internally, so this is the only way to find out.
*Conduct Vulnerability scans: These kinds of tests will show any open network ports. If there are any, they should be closed off immediately.
*Patches/Upgrades: Your e-commerce merchant should be applying software upgrades to their platforms as they come out.
In the end, as a customer, it is your right to ask these questions and get the appropriate answers. After all, it is your personal information/data that is at stake.
Follow Spruce for more tips on keeping you and your company cyber-safe. Learn more about Spruce by visiting www.sprucetech.com