How an Online Skimming Attack Unfolds

Website skimming continues to pose the biggest security threat to ecommerce brands in 2020

2019 saw another busy and profitable year of trading for online retailers. However, 2019 also saw multiple online skimming attacks on ecommerce websites. The skimming attacks saw cybercriminals inject malicious JavaScript code into several high-profile retailers’ websites in a bid to capture customers’ personal and financial information.

Activewear brand Sweaty Betty was one of the most recent victims of these online skimming attacks. It was forced to reveal that a third-party gained unauthorized access to part of its website and inserted malicious code “designed to capture information entered during the checkout process”.

Stolen customer data could include name, password, billing address, delivery address, email address, telephone number, payment card number, CVV number and expiry date.

Elsewhere, online fashion brand Love, Bonito has also confirmed its website was breached in the same way, exposing the personal and financial information of its customers. The incident came straight after US department store Macy’s made the headlines after suffering an identical web skimming attack, subjecting its online customers to data theft.

These are not isolated incidents. The attacks suffered by the likes of Sweaty Betty, Macy’s, Love, Bonita and countless other high-profile brands can be attributed to digital payment card skimming (DPCS) attacks, formjacking or online skimming – these types of attack now account for seven out of ten web breaches.

Here we explain the threat posed by such attacks, how they work and how you can enable online skimming protection to ensure your business don’t fall victim to website skimming.

What is website skimming?

Website skimming is defined as a process whereby hackers inject malicious JavaScript code into a website, enabling them to harvest customers’ credit card details and other personal information. Cybercriminals can do this by placing the skimming code directly on the website – either by brute force login attempts (credential stuffing), phishing or other social engineering techniques – or by exploiting known software vulnerabilities.

More commonly, hackers will exploit the website’s supply chain by manipulating one of the dozens of third-party technologies used on websites today to gain access to the site. Since many websites use the same third-party vendors, attackers know they only need to compromise a single component to skim data from a huge pool of potential victims.

DPCS or formjacking hijacks a website’s checkout pages. When a customer enters their credit card number and personal details to make their purchase, the code will skim the information in real time and transfer data to the hacker’s servers. Crucially, this process happens on the client side of the website and the form still completes the transaction with no disruption to the customer experience. This means neither the customer nor website owner is any the wiser to the fraud.

The hacker will then go on to perform payment card fraud or sell the details to other criminals on the dark web.

Why is there a surge in website skimming and data theft?

Online skimming is not a new data theft method. Traditionally, criminals have used card skimmers – gadgets hidden within credit card readers on ATMs, fuel pumps and other machines where people use their credit cards – to steal customers’ credit card data.

However, due to the move to more secure chip-based card infrastructure, it is becoming more expensive for thieves to fabricate and successfully use stolen customer data. As such, criminals are now turning their attention to website skimming, with ecommerce website attacks described as “off the charts” over the past year. A Symantec report shows that an average of 4,800 websites are compromised with formjacking code each month.

The increase in attacks is also linked to the proliferation of the Magecart hacking syndicate, which is responsible for an explosion in cases of data theft through website skimming. In most cases, the group focuses on third-party vendors to insert its code onto ecommerce websites. In the high-profile breach of Ticketmaster, for example, Magecart compromised a third-party chatbot, which loaded malicious code into the web browsers of visitors to steal customers’ payment data. Additionally, one in five Magecart-infected stores are re-infected within days.

How can you defend your website from a skimming attack?

If you have an ecommerce website, you are at risk of web skimming and data theft. But, as we have seen, client-side attacks can be difficult to detect – and the longer malicious code sits on your website, the more you and your customers are at risk.

The key is having control of your third-party ecosystem, including what can run on your site and thus access sensitive customer data. Most importantly, you should be aware of client-facing risks and apportion the same level of urgency to the security of your website as you would your internal systems and networks.

The Ensighten MarSec™ platform gives you the power to control which third parties collect data on your website, whilst allowing you to block unauthorized data collection, using the following functionality:

• Real-time website monitoring: Monitoring of all network requests coming into or out of your website to detect potential malicious threats
• Automated website privacy audit and alerts: Detect risks to your organization’s data privacy rules – website scanning will check for unapproved technologies that may have access to your customer data
• Masking of sensitive data: Determine unique data patterns to prevent sensitive data being exposed within the URL and passed to unauthorized third-party technologies

Speak to Ensighten about how you can enable online skimming protection to ensure the safety of your customer data.