FBI Issues Payment Card Skimming WarningDHS Joins FBI in Offering Mitigation Advice
The FBI issued a warning this week about skimmer attacks designed to steal payment card data from e-commerce sites. The U.S. Department of Homeland Security also offered tips on defending against these attacks.
"This warning is specifically targeted to small and medium-sized businesses and government agencies that take credit card payments online," the FBI states in its alert. "E-skimming occurs when cybercriminals inject malicious code onto a website. The bad actor may have gained access via a phishing attack targeting your employees - or through a vulnerable third-party vendor attached to your company's server."
An Ounce of Prevention
The FBI and DHS offer some basic security guidelines for smaller firms, as well as consumers, to follow to cut down on these types of skimmer attacks:
- Keep software updated and patched;
- Update and change passwords and other credentials, and use unique passwords on all devices and applications;
- Implement multifactor authentication;
- Avoid clicking on suspicious links, especially if they come from an unfamiliar email address;
- Segment networks to keep payment and customer data separate.
Many e-commerce sites don't properly vet their third-party suppliers or insist that they follow specific security practices to stop the spread of malicious code, says Jérôme Segura, the director of threat intelligence at security firm Malwarebytes.
"The numerous threat groups deploying skimmers will usually exploit a vulnerability in the underlying software running the e-commerce platform or perhaps will load unvetted malicious code via a third-party,” he says. “Some criminals will also build phishing pages designed to steal credentials to the online store, therefore allowing them to inject malicious code."
Magecart Attacks Increasing
Many skimming attacks have been waged by Magecart, an umbrella organization comprising a dozen groups that have been attacking the e-commerce check-out sites of several major companies, including British Airways, Ticketmaster and Newegg, over the last 18 months (see: Magecart Group Continues Targeting E-Commerce Sites).
Over the past year, security firm RiskIQ has detected Magecart-linked code over 2 million times and over 18,000 domains have been breached as a result.
(Managing Editor Scott Ferguson contributed to this report.)