Pickpockets, scam artists, and thieves have been stealing money and information from people for thousands of years. Today, however, instead of having to learn sleight of hand to lift a wallet from someone’s pocket, cybercriminals have quickly adapted to the modern digital age by creating tools and code that easily enable them to steal money and information via the internet. In this blog, we’ll discuss the threat known as digital skimming, the modern hacker’s version of pickpocketing.
Perhaps the best known type of digital skimming attack is called ‘Magecart.’ Magecart-style attacks are a type of threat in which financial transaction data (often credit card details) are intercepted by skimming the information from online payment forms. Although the name would seem to suggest a collective cybercriminal gang or a type of malware, the term ‘Magecart’ is actually just another name for a digital skimming attack.
For the past few years, Magecart-style breaches have been steadily on the rise. British Airways, Macy’s, Procter & Gamble, American Cancer Society, and many more have been Magecart victims. And these are just the high-profile breaches covered by the media. There are hundreds (if not thousands) of smaller scale e-skimming breaches happening daily that do not receive media attention.
Malicious Magecart-like code designed for e-skimming has been found in the Salesforce Heroku Cloud, in Amazon S3 buckets, Amazon CloudFront CDN, and other content delivery networks. Magecart skimming code has also been discovered impersonating a legitimate security firm, known as Sanguine Security, as a way to disguise itself.
Magecart e-skimming is a covert and a very real and present threat to both consumers and businesses.
Web Skimming Attacks
- Credit/payment card information
- Billing information
- Financial records
- Login credentials such as user IDs and passwords
Over the past few years, skimmers (cybercriminals engaged in skimming attacks) have actively updated their techniques to better infiltrate changing technologies and take advantage of businesses that don’t stay on top of vulnerability management. Here are some of the most notable attacks and backdoors they have exploited over the last three years:
By attacking third-party tools, hackers are also able to penetrate almost all the target businesses’ customers at once, gaining the same level of unrestricted access to their customer’s websites and the data. These types of attacks often hit thousands of companies at once.
Sideloading and Chain-loading Attacks
Trusted Cloud-hosted Platform Skimming
Public Wi-Fi Skimming
IBM researchers discovered this type of e-skimming attack on public Wi-Fi hotspots. In a public Wi-Fi skimming attack, threat actors infiltrate a large number of users in public spaces, such as airports and hotels, by skimming off unprotected public Wi-Fi. Threat actors insert skimming code via Wi-Fi hotspots allowing them to exfiltrate the data users enter on web forms. These forms may include ecommerce checkout pages, marketing landing pages, or login pages. Public Wi-Fi skimming is quite a simple attack for threat actors to execute, since vulnerable Wi-Fi routers allow attackers to automatically inject skimming scripts into all websites accessed by users through their connected devices.
E-commerce Platform Skimming
Some of the world’s most popular e-commerce platforms like Volusion and Adobe Magento Marketplace have been breached by Magecart e-skimming code. These e-commerce platforms provide checkout services to thousands of merchants, while collecting and utilizing massive amounts of customer credentials, personal data, and financial information. Thousands of online stores were compromised during the Volusion platform hack in 2019 which went undetected for weeks.
Anti-forensic, Self-cleaning, and Stealth Data Skimming
There are a few variants of web skimming codes that are notoriously difficult to detect and remediate. Pipka is a web skimming code with anti-forensic, self-cleaning, and stealth capabilities. It is able to remove itself from a web page’s code after it has been executed, thereby making it exceptionally difficult to detect. Pipka-like threats require focused attention by cyber defenders and an automated scanning solution that alerts them to questionable code behaviors.
How to Defend Your Customers and Your Business
In order to defend your customers and your business from skimming attacks, security teams must implement the following six best practices for user-side security:
- Harden defenses by building processes and procedures to detect website and web application tampering. Keep track of your web assets and know if a change has been made to them at all times.
- Continuously conduct behavioral analysis of all scripts from the client-side to determine if there are any activities consistent with web skimming breaches, including:
- Access to form fields
- Sending of data from browsers to external servers
- Introduce central control over which third-party scripts are allowed to be loaded on each web page. Block and deny the browser from implementing unwanted sideloaded and chain loaded scripts.
- Automate your client-side security operations to detect e-skimming attacks in real-time. Don’t rely on quarterly or annual vulnerability assessments alone. This allows threat actors to fly under the radar for months, thereby exposing your business to long windows of time for threat actors to skim data from you.
Sounds challenging, right? To be honest it is. Most companies cobble together a variety of tools such as vulnerability intelligence portals, vulnerability scanners, application security testing software and more. Then, they have to scan each web asset individually or write custom scripts in an effort to create some form of front-end security automation. This works in theory, but the behavioral analysis of the code likely will fall short.
There is a better way. Check out Feroot Security Inspector and Feroot Security PageGuard. If you are interested in automating your client-side security operations and hardening your skimming defenses please don’t hesitate to reach out to us. Our client-side security specialists stand ready to help you protect your business and your customers. You can also request a demo via this link.