[BreachExchange] Preventing digital skimmer attacks threatening e-commerce

Destry Winant destry at riskbasedsecurity.com
Fri Oct 26 01:17:46 EDT 2018


As e-commerce expands, so does the threat from credit card skimming.
In recent months, a malicious code known as Magecart has been
responsible for exposing hundreds of thousands of credit card accounts
to hackers. The threat extends to all websites that accept credit card
payments, including point-of-sale kiosks.

Magecart isn't a person or group, but a seemingly-decentralized global
campaign to commit fraud. The one thing all the attacks have in common
is the mage.js script, from which it takes its name.

A recent Ticketmaster U.K. hack — an attack that may have exposed up
to 5 percent of Ticketmaster's global userbase to digital skimmers —
was also a Magecart incident. But how do these criminals manage to do
so much damage with a simple script? Even more important than that:
how can businesses protect themselves from becoming the next victim?

How it works

The script essentially works like a card skimmer installed on a
physical card terminal. By injecting the malicious script, hackers can
steal payment information in real time during checkout. The
information is then relayed over to a collection server run by the

Once the perpetrator has the cardholder's data, they can use that
information to make fraudulent purchases online. They can also bundle
multiple cardholders' information and sell it on a black market to
other fraudsters.

The breaches aren't especially hard to stop once identified. However,
they take a long time to detect because the hackers aren't usually
attacking the merchant directly. Instead, they usually attack the
systems belonging to a third-party that works with the merchant.

This backdoor tactic lets the fraudster quietly steal data for months
without being noticed; as a result, it takes an average of one year to
identify a large data breach. Even if a merchant is up-to-date with
PCI compliance standards and antifraud best practices, they can still
be targeted.

e-commerce: the path of least resistance

Part of the problem is that more and more of the fraud burden is
shifting from the card-present to card-not-present environment. That
trend had been in place for years, but it accelerated rapidly after
the EMV liability shift in October 2015. Now, fraudsters see the
e-commerce environment as the "path of least resistance," and focus
their energy on attacking e-commerce sellers.

The Magecart script has been found in more than 800 different sites
already, and there could be hundreds or thousands more sites out there
waiting to be identified. Even though none of these merchants are
necessarily responsible for the attacks, they will most likely get the

Equifax, Target, Sony…most high-profile data breaches are associated
with the consumer facing business involved. And, even after a hack is
identified and resolved, there is a lasting stigma associated with the

The IBM study sourced above identified the average cost per data
breach as $3.86 million. Of course, that only counts the initial,
direct costs of the breach. The PR damage from a major attack could be
exponentially greater than the direct losses and can last for years
after the fact.

Defending against attacks

Online merchants can't afford to take a passive approach to this
threat. The best chance they have of protecting their business is to
be proactive. Some risk mitigating practices and behaviors I recommend

- Data encryption: Encrypted data is unreadable without the key,
making it useless to hackers.
- Risk assessment: Regular scans for vulnerabilities can identify risk sources.
- Fraud indicators: Perform regular scans of all systems and identify
signs of a potential breach.

Of course, no single tool or strategy can be effective against losing
profits and revenue on its own. For example, we can chalk roughly 52
percent of all data breaches up to human error of system glitches.
Then add the fact that a data breach is just one of countless threats
facing merchants in a dynamic marketplace. That's why sellers need to
have a much broader, more comprehensive approach if they hope to fight
revenue loss successfully.

Each tool in a merchant's arsenal can address certain threats. When
you leverage multiple complementary tools, though, you have broader

I'm talking about a multilayer approach to fraud prevention and risk
mitigation. For example, data encryption can help by limiting the
scope of a data breach, but it can't do anything about account
takeover fraud or post-transactional threats like cyber shoplifting.
Only by combining encryption with two-factor customer verification,
geolocation and other tools can merchants really start to see true
fraud protection.

Merchants who fail to respond to data vulnerabilities and new threats
like the Magecart script are leaving themselves open to be victimized.
But those who only focus on data security and forget about other
threat protections are just as vulnerable.

More information about the BreachExchange mailing list