Social distancing may have limited our physical interactions, but it also increased our electronic activities. So many of our daily pursuits are now done electronically – and some users for the first time. Although we have to disclose so much of our personal data online, cyber security is often an afterthought to the average consumer. On top of this, many businesses have turned to cyber transactions as a lifeline to counterbalance the disruptions to their traditional business models thanks to COVID. In short, digital transactions have become a convenient alternative for consumers and an apparent salvation for many businesses. At the same time however, this digital surge presents an immense opportunity to cybercriminals who have taken note of all of this. They are readily adapting to these changes in order to exploit our vulnerabilities and monitor our behavior accordingly.
2020 Online Increases
- Retail online purchases increased for all merchants. 80% chain store, 44% department store, 53% digital native – according to Blucore.
- More than $1 in every $5 was spent online in the 2nd quarter of 2020. This constituted an increase of 44 percent, the highest ecommerce penetration of any quarter or year on record.
- Social media engagement increased by 61% based on a study of 25,000 consumers.
- Total internet usage increased as much as 70 percent this year while 53 percent of Americans now say that the internet is essential to their lives.
Skimming is a method of stealing credit card information via the magnetic strip on the back of the card. Thieves illegally install specialized devices that can fit over a credit card reader. To the average consumer, these devices appear as a legitimate part of the reader as they inconspicuously capture card information from unsuspecting victims. The devices can be retrieved at a later time by the perpetrators with a load of data. Skimmers are commonly deployed at card readers that are standalone such as ATMs and gas stations. To curtail this practice, merchant service pumps should have credit card chip readers by April 2021. Because Europay, Mastercard, and Visa (EMV) chip card technology is more secure, card companies issued this deadline for most merchants to incorporate chip card acceptance at their pumps. If not, these merchants would be responsible for card fraud losses. While this will have a positive impact, criminals are already devising new methods utilizing a device called “shimmers.” This is a classic example of how cybersecurity is a moving target. Complacency is the devil’s handiwork.
Skimming 2020 Ecommerce Style
Due to the hardware limitations of traditional skimming tactics, it is extremely difficult to scale these types of attacks. What’s more, as the number of physical card transactions have diminished during the COVID era, so has the potential bounty for thieves. Just as the world has gone digital, so have criminals. A digital card skimming attack called Magecart is now becoming the “go-to” methodology for cybercriminals to steal credit card information from unwary online shoppers as they perform standard checkout procedures to pay for their goods and services. This may come as a surprise to many as legitimate shopping cart pages require encrypted connections today. In the case of Magecart attacks, encryption is irrelevant as the theft takes place on the site itself. Hackers inject code into vulnerable e-commerce sites to scan for payment details such as credit card numbers, card verification value (CVV) codes, names, phone numbers and transmits them back to a controlled server. Buried in code, this attack method can prove highly elusive and can take a while for anyone to detect it. As a result, these types of attacks can go undetected for weeks or even months. It is estimated that in 2019, a Magecart attack on a major e-commerce platform could net the fraudsters up to $130 million.
How a Magecart Attack Works
A real life example of a Magecart attack is the case of British Airways between August 21 and September 5 back in 2018. The compromised data included card expiration dates as well as the Card Verification Value codes (CVV) that are not stored online. As a result, British Airways was levied with a record fine for failing to comply with GDPR compliance. The British Airways attack was just one Magecart incident that has involved more than 18,000 websites and mobile apps since 2010. This is why Magecart was identified by Wired Magazine as one of the biggest online threats of 2018.
Magecart Increases its Presence in 2020
While these types of digital skimming attacks have appeared on the scene for a decade, they have dramatically increased in 2020. Cybersecurity specialists have confirmed a 20 percent increase in online skimming activity for the month of March alone. Some of the more publicized incidents include the following:
- The international music recording company, Warner Music Group, filed a breach incident with the California Attorney General acknowledging a Magecart attack. In the company statement, the company disclosed that an unauthorized third-party accessed “any information” entered by their customers over a three-month period of 2020.
- Google Analytics was recently unknowingly used to implement web skimming attacks. Attackers injected malware code on sites using the Analytics tracking code process. As a result, the hackers could access stolen data via their Google Analytics account. More than two dozen infected sites across the world were involved.
- The American Payroll Association (APA) reported that user information was stolen as a result of an injected skimmer on its website. Hackers injected malicious code on the organization’s login page and checkout section of its online store. While the malevolent activity was discovered on July 13, the attack had been in progress for two months. Compromised data included names, address, birthdates, contact information and even profile pictures.
- An automated Magecart attack involving some 2,000 stores took place in a single weekend. The attack took advantage of a zero-day vulnerability within an unsupported version of the online software, Magento.
How HALOCK Security Labs can Help
At HALOCK Security Labs, we have been helping organizations of all sizes effectively combat skimming attacks of all shapes and forms. During the these difficult times, we have stood alongside our valued customers, helping them devise and implement cybersecurity strategies and incident response plans that will protect them during these uncertain times. Our team of subject matter experts perform a wide array of services including threat monitoring, vulnerability testing and security assessments to ensure you’re your attack surface is secure against the most prevalent threats of today, including digital skimming. If your company is one of many that is new to the vulnerability of online transactions and ecommerce, we invite you to reach out and chat to review your security posture and enhance your response planning and PCI compliance in our evolving digital environment.
PCI WEBINAR SERIES
PCI DSS v3.2.1 expires on March 31, 2024. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our 5-part PCI Webinar Series, from April 27-June 1, 2023, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance.
Join Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant to review key updates and next steps to support your transition to PCI DSS v4.0.