Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

FBI Issues Payment Card Skimming Warning

DHS Joins FBI in Offering Mitigation Advice
FBI Issues Payment Card Skimming Warning

The FBI issued a warning this week about skimmer attacks designed to steal payment card data from e-commerce sites. The U.S. Department of Homeland Security also offered tips on defending against these attacks.

See Also: Check Kiting In The Digital Age

The FBI notes that these skimmer attacks usually start with cybercriminals injecting malicious JavaScript code into the check-out and payment pages of online retail sites to steal credit and payment card information from customers using the site.

These types of virtual credit card skimmers, which are also referred to as JavaScript skimmers, JavaScript sniffers or JS sniffers, can be cheaply purchased on underground sites, security researchers say. That’s one reason why there’s been a surge in these types of cyber incidents (see: Surge in JavaScript Sniffing Attacks Continues).

"This warning is specifically targeted to small and medium-sized businesses and government agencies that take credit card payments online," the FBI states in its alert. "E-skimming occurs when cybercriminals inject malicious code onto a website. The bad actor may have gained access via a phishing attack targeting your employees - or through a vulnerable third-party vendor attached to your company's server."

An Ounce of Prevention

The FBI and DHS offer some basic security guidelines for smaller firms, as well as consumers, to follow to cut down on these types of skimmer attacks:

  • Keep software updated and patched;
  • Update and change passwords and other credentials, and use unique passwords on all devices and applications;
  • Implement multifactor authentication;
  • Avoid clicking on suspicious links, especially if they come from an unfamiliar email address;
  • Segment networks to keep payment and customer data separate.

Many e-commerce sites don't properly vet their third-party suppliers or insist that they follow specific security practices to stop the spread of malicious code, says Jérôme Segura, the director of threat intelligence at security firm Malwarebytes.

"The numerous threat groups deploying skimmers will usually exploit a vulnerability in the underlying software running the e-commerce platform or perhaps will load unvetted malicious code via a third-party,” he says. “Some criminals will also build phishing pages designed to steal credentials to the online store, therefore allowing them to inject malicious code."

Magecart Attacks Increasing

Many skimming attacks have been waged by Magecart, an umbrella organization comprising a dozen groups that have been attacking the e-commerce check-out sites of several major companies, including British Airways, Ticketmaster and Newegg, over the last 18 months (see: Magecart Group Continues Targeting E-Commerce Sites).

Over the past year, security firm RiskIQ has detected Magecart-linked code over 2 million times and over 18,000 domains have been breached as a result.

In some of the cases related to Magecart, security researchers note that the attackers have re-injected the JavaScript code onto check-out sites even after an incident has been detected by security teams. This has allowed these attacks to continue for months without detection.

Different Tactics

In July, RiskIQ released a report that found one Magecart group had started injecting JavaScript into unsecured Amazon Web Service S3 buckets in order to skim payment data from many more sources (see: RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets).

Earlier this month, a Check Point Software Technologies researcher found cybercriminals had compromised a cloud-based payment platform created by Volusion. This platform is used by thousands of different companies as the backbone of their check-out and payment sites for their online stores. The researcher noticed the malicious JavaScript in the check-out section of the Sesame Street Live online store (see: Volusion Payment Platform Sites Hit by Attackers).

(Managing Editor Scott Ferguson contributed to this report.)

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.