We all know we need to be on the lookout for skimming devices that crooks install at ATMs or at the pump at gas stations.
But just in time for the holiday shopping season, we’re now being warned that the hackers are watching our online shopping carts, too, in order to steal our credit card and debit card information.
Such theft can happen whether you’re buying something online through a legitimate website or mobile app. Big names that have been targeted include the online store for the National Baseball Hall of Fame, which had a malicious payment code running between Nov. 15, 2018, and May 14, 2019.
What’s worse: It may be very difficult for a consumer to actually detect compromised websites that have been hit by an e-skimming scheme.
Unfortunately, you’re not going to be able to spot any odd gadgets or hardware that are used in the process, like you might with a skimmer installed on an ATM or gas pump.
It’s the next new wave for collecting stolen data to fill the shelves of the cyber black market.
“Any business accepting online payments on their website is at risk of an e-skimming attack,” according to an October alert from the Federal Bureau of Investigation office in Detroit.
Cyber criminals introduce a skimming code on e-commerce payment processing web pages to capture credit card and information such as your name, date of birth, account numbers, passwords and location information, the FBI said.
Targeted businesses include retailers, ticket selling sites, travel-related companies, utility companies and the vendors who provide online ads and web analytics.
“The increasing sophistication of these fraudsters could expand the e-skimming threat to other types of businesses, including the health care industry,” according to the FBI alert.
Security experts are noticing a wave of what’s called Magecart attacks – the name used for widely distributed malicious software used by cyber criminals – and the threat could rival the well-known compromises of point-of-sale systems of retail giants such as Home Depot and Target, according to RiskIQ, a San Francisco-based cyber security company that helps businesses protect against outside-the-firewall threats.
Digital skimming operations are very attuned to how a real company’s payment page looks and can blend in with normal payment processing to avoid detection.
“Customers have no way of detecting Magecart,” according to Mike Browning, senior manager of content and public relations for RiskIQ.
Major companies have been caught in the digital web-skimming trap – including breaches at British Airways and Ticketmaster. Ticketmaster was compromised via a third-party analytics supplier; British Airways was compromised directly.
Who’s running e-skimming schemes?
Many of the bad actors operate out of Eastern Europe. Some groups sell the stolen credit card data on the web. At least one group has used a complex re-shipping scheme to make money, Browning said.
Browning said one scheme uses phony job postings in Russian language newspapers distributed in the United States. The pitch promises a way to make money by buying goods with stolen credit card data and shipping them to Eastern Europe so that the Magecart actors can sell the goods elsewhere for a profit.
“This is a lucrative and efficient way to intercept lots of valuable credit card numbers in a short period,” Browning said.
How does it work?
Typically, the scammers exploit weak links in a company’s e-commerce platform. In many cases, a consumer can be re-directed to a malicious domain where the skimming code can capture the customer’s information from the checkout page.
The skimming code would capture your information in real time and send it to remote server where the data is collected by the criminals behind the scene. The consumer’s credit card data would either be sold or used to make fraudulent purchases from that point going forward.
Experts say the stolen data can be found for sale on the Dark Web where it is acquired to create counterfeit cards, launch phishing attacks and commit other types of fraud.
In many cases, a security firm ends up notifying the retailer or other business that their site has been hacked. And much later, consumers may hear about big data breaches.
Given that the credit card or debit card information is stolen in real time, cyber criminals know they have a live card – not a number that’s already been canceled.
“It shows that it’s a viable card and it has monetary value to it,” said Dave Lewis, global advisory chief information security officer at Ann Arbor-based Duo Security.
The value on the Dark Web could range from a few cents a card to $4 a credit card number, he said.
“They deal in hundreds of thousands of cards at a time,” Lewis said.
Lewis said he doesn’t find the latest twist surprising.
“This is the natural evolution of the attacker,” he said. “Nowadays, they understand these websites are processing millions of dollars in transactions.”
What should consumers do?
Adam Levin, founder CyberScout, said consumers should understand that more e-skimming attacks may be planned for the months ahead.
“There is often a spike in cyber attacks and fraud during the holiday season, and this year will be no different,” Levin said.
It is hard to avoid being e-skimmed as you shop online, Levin said. But several steps can be taken by consumers to protect themselves in the event of such hacking attacks.
Levin and other experts suggest that consumers don’t use debit cards to shop online, as bad actors would have easier access to your checking account – and you could have a much harder time straightening out problems with your bank account.
Even when you use a credit card, it may be wise to take other precautions. Avoid entering credit card details into a website. Large stores, such as Amazon, will store your card in your account, so you don’t need to enter it into a web form where a Magecart skimmer might be lurking, Browning said.
“Larger stores like Amazon are generally safe – breaches of giant online marketplaces could happen, but they dedicate such a significant amount of resources to security that it would be extremely unlikely,” Browning said.
Even so, entering your credit card once is safer than entering it repeatedly.
Small shops now offer Amazon Pay, which allows you to avoid potential skimming by paying via the card stored in your Amazon account rather than manually entering your credit card details, Browning said.
Another way to avoid entering your card details is by using Apple Pay, PayPal, or a similar mobile payment system, which send a sort of one-time token of your credit card information. Even if Magecart happens to skim the token, Browning said, they can’t access the associated credit card information. Services like PayPal ensure you never have to enter your information into an e-commerce site directly.
Lewis of Duo Security said he’d also suggest that online shoppers avoid clicking on banner ads for a specific store or product to avoid any malware-injected pop-ups. Instead, he said, type the web address in yourself.
Other tips for consumers include:
- Shop on well-known, reputable sites.
- Use one-time-use credit cards, which can be skimmed without consequence.
- Enable two-factor authentication for all connected devices.
- Use strong passwords that are unique to the websites and accounts they unlock. Change passwords frequently.
- Activate transaction alerts on all credit cards and bank accounts for free.
- Consider freezing your credit to prevent the creation of new accounts.
- If you’ve been notified of such breaches, you may want to get a new credit card issued by your bank with a new account number.
- Pay careful attention to your credit card statements and bank account statements to spot any signs of misuse.
- File a detailed complaint at the Internet Crime Complaint Center – www.ic3.gov – if you have been a victim of e-skimming or other cyber fraud.