The FBI has recently announced amped-up exploitation of e-commerce websites through a cybercrime known as e-skimming, which steals credit card information and other data during online shopping check-out.
When Magento was seriously hacked in late 2019, thousands of credit cards were compromised. Along with WooCommerce and Shopify, Magento is one of the three largest e-commerce platforms used by e-tailers and other organizations that accept card payments on their websites. The e-skimming hacks have since expanded far beyond Magento to encompass nearly every aspect of e-commerce.
This blog explores the scope of the problem, how e-skimming works, and what e-commerce businesses can do to harden their websites and payment card applications in order to minimize attack surfaces and reduce the risk of e-skimming in these online “card not present” environments.
Any business that accepts debit or credit card payments on its website is a target for e-skimming.
Online purchases have spiked during the pandemic as homebound workers, unemployed, and under-employed workers have burned up the Internet with credit card purchases. Their buying behavior has been indulged by as many as 24 million e-commerce websites around the world, according to DigitalCommerce360.
E-commerce platforms like Magento, WooCommerce, Shopify, and others who provide the foundation for these websites are often highly complex constructions of software. Some of these platforms consist of enormous volumes of code (think JavaScript) that has been created and amended by many different developers over time.
As an example, Magento is purported to have 4.5 million lines of code in 17 languages supporting its e-commerce platform and MageCart shopping cart functionality, according to Synopsis. By comparison, WooCommerce utilizes 175,000 lines of code in 8 languages and Shopify 10,900 lines of code in 7 languages. It’s a lot of code.
In addition, many businesses have added widgets, plug-ins, and extensions to their e-commerce websites. While these add-ons may increase convenience and extend functionality, they also add to the volume of program code associated with their websites.
As is the case with most cybercriminals, those who began e-skimming several years ago with a simple focus on stealing credit card data are continuing to evolve. They now have cast their cybernets over businesses that use smaller or lesser-known e-commerce platforms. And they are turning their attention to peripheral targets, such as online advertising media, chatbots, and data analytics providers who serve the e-commerce website community.
E-skimming, sometimes called JavaScript sniffing, operates via malicious code or script that has been installed on an e-commerce website. Because of how subtly it works, and how much code is already existent in the website, the activity of e-skimming is generally transparent to both the seller and the buyer. The malicious code remains embedded on the site until it is discovered by the host or removed by the cybercriminal.
While embedded, the malicious script skims off card data as it is entered during the online check-out process. This includes card number, cardholder name, security code, and expiration date. (A corollary to e-skimming in “card-present” environments is called skimming, in which physical skimmers or scanners are installed in credit card slots at gas pumps and ATMs to capture card data.)
As e-skimming continues to evolve, some malicious scripts have also begun collecting buyer login credentials, which are highly prized among cybercriminals.
The skimmed data is sent electronically to the cybercriminal, who may use it or sell it on the black market or both.
Like much malware that finds its way into company networks, the door for e-skimming script is frequently opened by unsuspecting employees who fall victim to phishing schemes or social engineering. Hackers dupe employees into revealing their login credentials or otherwise providing network access, through which the e-commerce website can then be exploited.
Hackers may also employ URL redirection, hijacking a network connection and using it to send spoofed email messages to employees. An employee may take the message at face value, trusting that it is coming from their company’s domain. They may be instructed to click on a link or an attachment, which then allows the hacker access.
Other access opportunities can be found in vulnerable website widgets, plug-ins, and chatbots, for example, which cybercriminals are increasingly exploiting for e-skimming purposes.
E-tailers and other businesses who sell products through e-commerce websites must assume that they are vulnerable to e-skimming. Fortunately, there are a number of actions that can be taken to reduce vulnerability by hardening security systems and e-commerce applications.
One of the first steps is to become fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), which is dedicated to decreasing credit card theft and fraud in both card-present and card-not-present environments.
The PCI Security Standards Council enables certain merchants to conduct their own compliance assessments using Self-Assessment Questionnaires, while others engage Qualified Security Assessors to conduct these assessments and validate compliance with the 12 PCI DSS requirements.
Whatever the case, every business that operates an e-commerce website should become PCI DSS compliant sooner rather than later. The same goes for brick-and-mortar merchants.
Several key tools and very specific recommendations are available to assist e-commerce businesses in preventing e-skimming attacks. The following are provided courtesy of Mark Hughes, senior vice president at DXC.technology.
Other available guidance includes using packet analyzers or sniffers to monitor data packets, ensuring that incoming data is encrypted, running e-skimming scans on downloaded applications, conducting web application testing, and employing IP filtering and content filtering.
The importance of employee training, and periodic refresher training, can never be over-emphasized as a means of reducing risk. Unsuspecting employees have frequently been responsible for enabling e-skimming, however unwittingly.
Employee training in social engineering, phishing, and other ploys is crucial. Training should include lessons in the damage that can be inflicted on company networks and data by simply clicking on links or attachments in email messages. Train employees to be suspicious and teach them why they need to be. Instead of being the weakest links in the security chain, vigilant, well-informed employees can actually enhance your front-line defenses.
For optimum effect, cybersecurity awareness training should include a mix of components, such as classroom training, online webinars, self-paced web-based training, newsletters and blogs, and regular email reminders and security quizzes. Everyone learns a little differently.
Online purchases have soared during the pandemic, with as many as 24 million e-commerce websites around the world enabling this growth.
Cybercriminals have exploited the popularity of online shopping by stealing credit card data as it is entered into online payment forms on e-commerce websites. Known as e-skimming or JavaScript sniffing, this cybercrime has evolved to include peripheral e-commerce targets such as online advertising media, chatbots, plug-ins, widgets, and data analytics programs.
Virtually transparent to both consumers and businesses, e-skimming demands very specific security measures to reduce vulnerabilities. E-tailers and other businesses who sell products through e-commerce websites should assume that they are vulnerable to e-skimming and should act quickly to harden website and application security.
On May 11, 2021 at 2pm Eastern Time, the Cybersecurity and Infrastructure Security Agency (CISA) will co-host a Cybersecurity Hygiene webinar to explore how prioritizing cybersecurity hygiene can enhance your business and how understanding CISA Cyber Essentials can help. Learn more at Cybersecurity: How’s Your Hygiene? - Stay Safe Online