The number of online skimming attacks has risen with 69 percent since last year, when De Groot run his first general scan. In November 2015, he scanned a sample of 255,000 online shops worldwide and found various malware on 3,501 stores. He then repeated his scan in March 2016, when he found even more web shops had been hacked. The number has grown to 4,476 stores, which represent an increase of 28%. This situation has gone worse as of September 2016, when de Groot found 5,925 online shops had been compromised. He also noticed that 754 stores, who were unwillingly and unknowingly skimming today, were already skimming in 2015. It shows that this new form of cyber criminals can work undetected for months.
On October 11th, de Groot decided to publish the list of infected stores on Gitlab. Apparently, the list scared enough store owners and encouraged webmasters to take action. More than 300 stores were fixed within 48-hour and as of October 24th, the number of infected stores went down to 4,471. However, 170 new stores were hacked at the same period and it is estimated that nearly 85 stores are compromised daily.
About Online Skimming
Online skimming is gaining popularity among cyber criminals, as it is often and deemed a perfect crime. It’s not just that it presents a greater target for the thieves, it’s also hard to detect and almost impossible to track. Online skimming occurs when attackers hack into a website and leave software that secretly logs information entered on the payment page. When unsuspecting customers pay for their orders, the planted malware automatically copies their credit card details and sends it to the hackers’ server.
So what can you do to avoid online skimming?
Part of the reason why hackers can easily gain access to stores’ website is because merchants don’t always patch their sites when a software update is available. Updating the software regularly is indeed costly, nevertheless store owners should always be responsible in maintaining their sites. De Groot even suggests big companies, like Visa and Mastercard, revoke the payment license of sloppy merchants. Moreover, he believes it would be efficient if Google includes these sites in its Chrome Safe Browsing blacklist. When a website is added to the list, visitors would be greeted with a fat red warning screen, encouraging shopkeepers to resolve the problem quickly.
Paul Farrington, manager of EMEA solution architects at information security Veracode, perceives that the government could do more to create a secure society. For instance, companies should be encouraged to test software for the vulnerabilities, hosting providers should be asked to do more on detecting and protecting sites, reward-penalty mechanisms should be introduced to ensure companies take security seriously.