Online Skimming Attacks are Still Affecting Over 4000 Online Stores 2 years ago

online skimming

Willem De Groot, Dutch security researcher, has reported that nearly 6,000 e-commerce sites worldwide are victims of credit card theft, including at least 250 Dutch merchants. Most of the affected web shops are small and do not have access to the necessary resources to determine whether their site is secure. Cyber criminals are using security holes in vulnerable systems to inject malicious JavaScript code in the checkout page. It allows them to steal customers’ payment card credentials and sell the data for $30 per card on the black market.

The number of online skimming attacks has risen with 69 percent since last year, when De Groot run his first general scan. In November 2015, he scanned a sample of 255,000 online shops worldwide and found various malware on 3,501 stores. He then repeated his scan in March 2016, when he found even more web shops had been hacked. The number has grown to 4,476 stores, which represent an increase of 28%. This situation has gone worse as of September 2016, when de Groot found 5,925 online shops had been compromised. He also noticed that 754 stores, who were unwillingly and unknowingly skimming today, were already skimming in 2015. It shows that this new form of cyber criminals can work undetected for months.

On October 11th, de Groot decided to publish the list of infected stores on Gitlab. Apparently, the list scared enough store owners and encouraged webmasters to take action. More than 300 stores were fixed within 48-hour and as of October 24th, the number of infected stores went down to 4,471. However, 170 new stores were hacked at the same period and it is estimated that nearly 85 stores are compromised daily.

About Online Skimming

Online skimming is gaining popularity among cyber criminals, as it is often and deemed a perfect crime. It’s not just that it presents a greater target for the thieves, it’s also hard to detect and almost impossible to track. Online skimming occurs when attackers hack into a website and leave software that secretly logs information entered on the payment page. When unsuspecting customers pay for their orders, the planted malware automatically copies their credit card details and sends it to the hackers’ server.

De Groot has noticed a more advanced improvement in the malware’s code. Within only one year, online skimming malware has developed from one single threat to three distinct malware families, with a total of nine variants of JavaScript malware code. In addition, the newer versions can check for popular checkout and payment extensions, said the researcher in his blog post.

So what can you do to avoid online skimming?

Part of the reason why hackers can easily gain access to stores’ website is because merchants don’t always patch their sites when a software update is available. Updating the software regularly is indeed costly, nevertheless store owners should always be responsible in maintaining their sites. De Groot even suggests big companies, like Visa and Mastercard, revoke the payment license of sloppy merchants. Moreover, he believes it would be efficient if Google includes these sites in its Chrome Safe Browsing blacklist. When a website is added to the list, visitors would be greeted with a fat red warning screen, encouraging shopkeepers to resolve the problem quickly.

Paul Farrington, manager of EMEA solution architects at information security Veracode, perceives that the government could do more to create a secure society. For instance, companies should be encouraged to test software for the vulnerabilities, hosting providers should be asked to do more on detecting and protecting sites, reward-penalty mechanisms should be introduced to ensure companies take security seriously.

No Replies on Online Skimming Attacks are Still Affecting Over 4000 Online Stores

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>