Blog | 24By7Security

E-Skimming Steps you can take now to strengthen security

Written by Rema Deo | May, 4 2021

Steps You Can Take Now To Strengthen Security

The FBI has recently announced amped-up exploitation of e-commerce websites through a cybercrime known as e-skimming, which steals credit card information and other data during online shopping check-out.

When Magento was seriously hacked in late 2019, thousands of credit cards were compromised. Along with WooCommerce and Shopify, Magento is one of the three largest e-commerce platforms used by e-tailers and other organizations that accept card payments on their websites. The e-skimming hacks have since expanded far beyond Magento to encompass nearly every aspect of e-commerce.

This blog explores the scope of the problem, how e-skimming works, and what e-commerce businesses can do to harden their websites and payment card applications in order to minimize attack surfaces and reduce the risk of e-skimming in these online “card not present” environments.  

Scope of Problem

Any business that accepts debit or credit card payments on its website is a target for e-skimming.

Online purchases have spiked during the pandemic as homebound workers, unemployed, and under-employed workers have burned up the Internet with credit card purchases. Their buying behavior has been indulged by as many as 24 million e-commerce websites around the world, according to DigitalCommerce360.

E-commerce platforms like Magento, WooCommerce, Shopify, and others who provide the foundation for these websites are often highly complex constructions of software. Some of these platforms consist of enormous volumes of code (think JavaScript) that has been created and amended by many different developers over time.

As an example, Magento is purported to have 4.5 million lines of code in 17 languages supporting its e-commerce platform and MageCart shopping cart functionality, according to Synopsis. By comparison, WooCommerce utilizes 175,000 lines of code in 8 languages and Shopify 10,900 lines of code in 7 languages. It’s a lot of code.

In addition, many businesses have added widgets, plug-ins, and extensions to their e-commerce websites. While these add-ons may increase convenience and extend functionality, they also add to the volume of program code associated with their websites.

As is the case with most cybercriminals, those who began e-skimming several years ago with a simple focus on stealing credit card data are continuing to evolve. They now have cast their cybernets over businesses that use smaller or lesser-known e-commerce platforms. And they are turning their attention to peripheral targets, such as online advertising media, chatbots, and data analytics providers who serve the e-commerce website community.

Here’s How e-Skimming Works

E-skimming, sometimes called JavaScript sniffing, operates via malicious code or script that has been installed on an e-commerce website. Because of how subtly it works, and how much code is already existent in the website, the activity of e-skimming is generally transparent to both the seller and the buyer. The malicious code remains embedded on the site until it is discovered by the host or removed by the cybercriminal.

While embedded, the malicious script skims off card data as it is entered during the online check-out process. This includes card number, cardholder name, security code, and expiration date. (A corollary to e-skimming in “card-present” environments is called skimming, in which physical skimmers or scanners are installed in credit card slots at gas pumps and ATMs to capture card data.)

As e-skimming continues to evolve, some malicious scripts have also begun collecting buyer login credentials, which are highly prized among cybercriminals.

The skimmed data is sent electronically to the cybercriminal, who may use it or sell it on the black market or both.

Like much malware that finds its way into company networks, the door for e-skimming script is frequently opened by unsuspecting employees who fall victim to phishing schemes or social engineering. Hackers dupe employees into revealing their login credentials or otherwise providing network access, through which the e-commerce website can then be exploited.

Hackers may also employ URL redirection, hijacking a network connection and using it to send spoofed email messages to employees. An employee may take the message at face value, trusting that it is coming from their company’s domain. They may be instructed to click on a link or an attachment, which then allows the hacker access.

Other access opportunities can be found in vulnerable website widgets, plug-ins, and chatbots, for example, which cybercriminals are increasingly exploiting for e-skimming purposes.

What Businesses Can Do To Prevent e-Skimming

E-tailers and other businesses who sell products through e-commerce websites must assume that they are vulnerable to e-skimming. Fortunately, there are a number of actions that can be taken to reduce vulnerability by hardening security systems and e-commerce applications.

One of the first steps is to become fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), which is dedicated to decreasing credit card theft and fraud in both card-present and card-not-present environments.

The PCI Security Standards Council enables certain merchants to conduct their own compliance assessments using Self-Assessment Questionnaires, while others engage Qualified Security Assessors to conduct these assessments and validate compliance with the 12 PCI DSS requirements.

Whatever the case, every business that operates an e-commerce website should become PCI DSS compliant sooner rather than later. The same goes for brick-and-mortar merchants.

E-Skimming Prevention Tools

Several key tools and very specific recommendations are available to assist e-commerce businesses in preventing e-skimming attacks. The following are provided courtesy of Mark Hughes, senior vice president at DXC.technology.

  • Take a close look at all of the applications that support the e-commerce part of your business. Evaluate them for vulnerabilities. Search for inappropriate code. Restrict what code you allow to run.
  • Investigate the use of specialized scanning tools that can alert when suspicious connections are opened, during card payment sessions, by scripts injected into the application.
  • Prevent unauthorized changes to application files by using the option to Block Public Access on any Amazon Web Services Simple Storage Service (AWS S3) buckets.
  • Create a list of locations on your e-commerce website that resources can be loaded. Develop a Content Security Policy. Apply it to all sensitive pages, such as payment pages, login pages, and other forms that may collect card data or other user information.
  • Verify any external scripts, such as those from advertising partners or chat service providers, using Subresource Integrity (SRI). SRI is a best practice whenever resources are loaded from a third-party source. External scripts will be verified against a known good value to ensure they are the expected files—and will be blocked from loading if not.
  • Make sure that all assets on sensitive web pages use SRI. Use the Require-SRI-For directive in the Content Security Policy to enforce SRI on all scripts and style tags. This will prevent assets that do not have SRI enabled from being included in these pages.

Additional safeguards include the following best security practices. Many of these are suggested by the FBI and Cybersecurity and Infrastructure Security Agency (CISA) in the FBI Alert on e-skimming.

  • Be sure to use the most recent versions of software applications throughout your organization. Install new updates as soon as they become available because they often include security improvements.
  • Maintain current anti-virus and anti-malware programs and ensure that firewalls operate at peak performance. Be sure that defense includes spotting and blocking attacks from within the network, as well as from outside the network.
  • Change default login credentials on all systems, require strong team member passwords and regular password changes, and implement multi-factor authentication.
  • Segregate and segment network systems to limit the ability of hackers to move from one to another.

Other available guidance includes using packet analyzers or sniffers to monitor data packets, ensuring that incoming data is encrypted, running e-skimming scans on downloaded applications, conducting web application testing, and employing IP filtering and content filtering.  

Employee Training: Hardening the Weakest Link

The importance of employee training, and periodic refresher training, can never be over-emphasized as a means of reducing risk. Unsuspecting employees have frequently been responsible for enabling e-skimming, however unwittingly.

Employee training in social engineering, phishing, and other ploys is crucial. Training should include lessons in the damage that can be inflicted on company networks and data by simply clicking on links or attachments in email messages. Train employees to be suspicious and teach them why they need to be. Instead of being the weakest links in the security chain, vigilant, well-informed employees can actually enhance your front-line defenses.

For optimum effect, cybersecurity awareness training should include a mix of components, such as classroom training, online webinars, self-paced web-based training, newsletters and blogs, and regular email reminders and security quizzes. Everyone learns a little differently.

Summary

Online purchases have soared during the pandemic, with as many as 24 million e-commerce websites around the world enabling this growth.

Cybercriminals have exploited the popularity of online shopping by stealing credit card data as it is entered into online payment forms on e-commerce websites. Known as e-skimming or JavaScript sniffing, this cybercrime has evolved to include peripheral e-commerce targets such as online advertising media, chatbots, plug-ins, widgets, and data analytics programs.

Virtually transparent to both consumers and businesses, e-skimming demands very specific security measures to reduce vulnerabilities. E-tailers and other businesses who sell products through e-commerce websites should assume that they are vulnerable to e-skimming and should act quickly to harden website and application security.

How is Your Cybersecurity Hygiene?

On May 11, 2021 at 2pm Eastern Time, the Cybersecurity and Infrastructure Security Agency (CISA) will co-host a Cybersecurity Hygiene webinar to explore how prioritizing cybersecurity hygiene can enhance your business and how understanding CISA Cyber Essentials can help. Learn more at Cybersecurity: How’s Your Hygiene? - Stay Safe Online