E-skimming / Online Skimming / Digital Skimming Continue to Rise

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Online data and credit card skimming attacks continue to rise, especially as online purchasing grows. Magecart and other skimming attacks have increased in scale over the past couple years. These types of attacks are a pervasive threat for online retailers for the foreseeable future.

Skimming attacks exploit client-side browsers by injecting code that captures customer-entered data. It then sends the data to a remote server for cybercriminals to collect. This information includes name, credit card number, expiration date, address, etc. Identifying and defending against skimming attacks can be difficult due to the rapid development of new tactics, techniques and procedures.

A recent attack compromised over 200+ online campus stores in the US and Canada. A new Magecart group, dubbed Mirrorthief, attacked multiple victims using the PrismWeb e-commerce platform. The attackers injected their skimming script into the shared JavaScript libraries used by PrismWeb for payment checkout. This campaign avoids detection by making the injected JavaScript look like a legitimate Google Analytics script. It evades both automated and manual detection by looking identical to the innocuous tracking and performance scripts used on today's commerce sites.

Another example is the use of in-line frames (iframe), an HTML document embedded within the HTML of a website. Malicious iframes can be used to trick the user to enter credit card data. A recent Magecart campaign made use of this novel tactic. The attack was triggered only after specific conditions were met when a shopper visited the shopping cart checkout page. In this attack, a bogus version of the checkout form is delivered to the customer. The bogus form looks like many of the forms used for electronic payments, except the card information field is already present and ready for collection when data is entered.

As these types of attacks continue to grow, the only defense is to take a multilayer approach to prevention and risk mitigation. Managed Security Service Provider (MSSP) monitoring services, network security solutions, SIEM correlation tools and endpoint detection and response (EDR) are all extremely important in the identification of active attacks by these fast-evolving threats. However, actions taken by retailers are also critically important. Vulnerability scanning, patch management programs, access control programs, code audits, etc. are just as important to make sure all aspects are working as part of one cohesive security solution.