• Latest

How Online Web Skimming Attacks Work

July 30, 2019
10 Best OSINT Tools

10 Best OSINT Tools

August 15, 2022
How Print on Demand Companies Can Prevent Chargebacks

How Print on Demand Companies Can Prevent Chargebacks

August 11, 2022
KYC & AML: Know your customer and anti-money laundering explained

KYC & AML: Know your customer and anti-money laundering explained

August 7, 2022
New Podcast Episode: Walls of Thieving Cellphones with Nethone

New Podcast: How Consumers React to Identity Theft and Account Takeover Attacks

August 2, 2022
The Best Reverse Email Lookup Tools in 2022 (with pricing)

The Best Reverse Email Lookup Tools in 2022 (with pricing)

August 16, 2022
Tailgating Attack

Tailgating Attack

July 24, 2022
80 billion Euros lost to online fraud across physical and digital goods, and e-ticketing in 2021, reveals Fraugster’s new Payment Intelligence Report  

80 billion Euros lost to online fraud across physical and digital goods, and e-ticketing in 2021, reveals Fraugster’s new Payment Intelligence Report  

July 20, 2022
Influencer Insights: Christian Mangold, CEO of Fraugster Discusses the Payment Intelligence Report 2022

Influencer Insights: Christian Mangold, CEO of Fraugster Discusses the Payment Intelligence Report 2022

July 20, 2022
New Podcast Episode: Walls of Thieving Cellphones with Nethone

New Podcast: Let’s Get Megan a Job! LinkedIn recruiter scams & how to find work in the fraud prevention industry

July 19, 2022
Reverse Email Lookup to Protect Against Fraud

Reverse Email Lookup to Protect Against Fraud

August 16, 2022
Silverfort Raises $65m Series C for World’s First Unified Identity Threat Protection Platform

The Worldwide eCommerce Fraud Detection & Prevention Industry is Expected to Reach $83.9 Billion by 2026

July 15, 2022
The fraud detection and prevention (FDP) market to surpass $100 billion by 2027

Pre-hijacking Account Takeover Fraud

July 14, 2022
  • Contribute
  • Contact Us
  • About
  • Join Us
  • Advertise
  • PaymentsReview.com
Wednesday, August 17, 2022
Merchant Fraud Journal
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
Merchant Fraud Journal
No Result
View All Result

How Online Web Skimming Attacks Work

by Bradley
July 30, 2019
in Articles, Fraud Prevention

TBIT / Pixabay

Online web skimming attacks continue to increase. This kind of eCommerce fraud attack works by fraudsters recording the information customers put into fake online payment forms. Stolen data includes credit card details, personal identifying information like names and addresses, and potentially even highly sensitive information like social security and passport numbers.

This kind of data theft does not directly hurt merchants. However, that doesn’t mean they shouldn’t take it very seriously. If the media pinpoints a merchant’s domain as a conduit for a skimming attack, it often does immense damage to the brand’s reputation. Sellers of commoditized goods should be especially wary. Customers may choose to avoid your shop in favor of competitors if they perceive your security to be lax and your site unsafe.

And because the eCommerce ecosystem continues to exponentially grow around the world, fraudsters increasingly take advantage of vulnerabilities. Web skimming attacks continue to plague online stores at both the SMB and enterprise level. Yet despite the already large number of high profile fraud attacks, the trend continues. Fraudsters find new success every day.

Online web skimming attacks work in a three stage process.

Stage 1: Gain (Undetected) Access to Site User Information

Online web skimming attacks start with a fraudster planting a skimming code. These codes are usually a piece of javascript. They are short and look very innocent, often mimicking legitimate processes and operations developers use to create eCommerce websites.

The technical, back-end nature of skimming codes explains why top CNP fraud prevention solutions can’t detect this kind of attack. Merchants need to pay careful attention to see what tactics are in vogue and use that information to do more to protect their own assets.

In addition, skimming works because fraudsters are increasingly adept at shrouding their tactics in a veil of user-facing legitimacy. A skilled hacker will make it impossible for customers to detect. Merchants cannot rely on chatter about user experiences to alert them to a problem.

In general, fraudsters gain access to website information in two ways:

  • Direct hacking. Fraudsters place the skimming code directly on the website. One method to accomplish this is a brute-force attack. A brute-force attack automates login credentials until it finds the correct combination to access a company account with administrator permissions. A second method is to exploit known software vulnerabilities, known as zero-day vulnerabilities.
  • Supply chain attacks. Fraudsters infect a single vendor that offers services used by a large number of eCommerce stores. For example, a successful attack against online advertising platform Adverline delivered the Magecart skimming code to hundreds of client vendors.

Stage 2: Collect Sensitive Data from Site Users

Once a fraudster gains access, they use it to steal personal data from site users. A variety of tactics exist to accomplish this. But two are very common because they give direct access to verified, accurate data:

  • Fake forms. Hackers “hijack” the forms site users use to make a payment. When the user sends the form to the merchant, the data is also transferred to the fraudster’s servers. For example, a shopping cart form that requests the name, address, credit card number, CVV number, and email address will send a fraudster data they can easily use to make fraudulent purchases themselves, or sell on the dark web. Crucially, the form still completes the transaction, with zero friction in the customer experience. It’s estimated at least 4,800 online forms were targeted “formjacked” in 2018.
  • Keylogging. Hackers record the keyboard strokes made by a user. When a user fills out a form, the fraudster can see which keys they pressed to enter their login credentials. This way, even if the merchant successfully encrypts data, the fraudster still gains access to passwords, credit card numbers, and any other inputed information.

Stage 3: Store the Stolen Data

Finally, fraudsters must store the data they steal. Nothing can be done by merchants at the stage of the process. However, there is at least one very important reason to conceptualize it: the information is commonly sent to a proxied domain.

The proxy domain setup is another way fraudsters hide their tracks and keep their online web skimming attacks hidden from merchants. It’s common for the domain used to mimic the legitimate site. This tactic played a role in a highly successful skimming attack on the site of British Airways that lasted three weeks and compromised 380,000 users.

The Best Way to Protect Against Online Web Skimming Attacks

Skimming attacks continue to succeed because merchants remain ill-equipped to prevent them. Unlike detecting native account takeover attacks against in-house assets, it’s tempting to have less urgency about user-facing damage. But it should not be. After the British Airways skimming attack, CEO Alex Cruz was forced to go on a mea culpa tour apologizing for the damage caused to customers.

To avoid that, merchants should do whatever they can to secure their API calls. In addition, they should simply pay attention to their systems. Fraudsters do all they can to remain in the shadows; the best way to stop their skimming attacks is to constantly shine light in all of the places they hide.

Tags: Online Skimming
ShareTweetShareSend
Previous Post

Fake Google Domains Target Magento Users

Next Post

Capital One Data Breach Hits 100 Million US Customers

Next Post

Capital One Data Breach Hits 100 Million US Customers

Our Sponsors

Our Latest Report

Get the 2022 Fraud Trends Report

MFJ 2022 Fraud Trends Report

Search Our Site

No Result
View All Result

Featured Directory Listings

  • SEON. Fraud Fighters
  • Microsoft Dynamics 365 Fraud Protection
  • Spotrisk
  • logo
    NoFraud
  • Ekata
  • sift logo
    Sift
  • Pipl
  • nSure.ai logo
    nSure.ai
  • PayRetailers

Our Sponsors

Fraud Industry News

10 Best OSINT Tools

10 Best OSINT Tools

August 15, 2022
How Print on Demand Companies Can Prevent Chargebacks

How Print on Demand Companies Can Prevent Chargebacks

August 11, 2022
KYC & AML: Know your customer and anti-money laundering explained

KYC & AML: Know your customer and anti-money laundering explained

August 7, 2022

Connect With Us

Quick Navigation

  • Home
  • News
  • Join Us
  • About Us
  • Contact Us
  • Advertise
  • Contribute
  • Privacy Policy

The Payments Media Network

Merchant Fraud Journal
Payments Review

Privacy Policy

Our Privacy Policy
Our Terms of Use

Resources

  • Articles
  • eCommerce Fraud Reports
  • eCommerce Fraud Webinars
  • Training and Certifications
  • Jobs Board
  • Associations and Non-Profits
  • Podcasts
  • Vendor Directory

Popular Posts

  • How Does Two-Factor Authentication (2FA) Work?

    How Does Two-Factor Authentication (2FA) Work?

    0 shares
    Share 0 Tweet 0
  • How to File a Claim With FedEx + What To Do If Claim is Denied

    0 shares
    Share 0 Tweet 0
  • Top eCommerce Fraud Prevention Companies

    0 shares
    Share 0 Tweet 0
  • How to Fight PayPal Chargeback Fraud

    0 shares
    Share 0 Tweet 0

Featured Vendors

  • Ekata
  • Pipl
  • PayRetailers
  • Spotrisk
  • Sift
  • Microsoft Dynamics 365 Fraud Protection
  • NoFraud
  • SEON. Fraud Fighters
  • nSure.ai

Download the 2022 Fraud Trends Report

No Result
View All Result
  • About Merchant Fraud Journal
    • Advertise on Merchant Fraud Journal
    • Interested in Contributing or Guest Posting to Merchant Fraud Journal?
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Contact Us
  • Download Addressing Payment Fraud and Customer Experience Report
  • Download Evolving Complexities of Payment Fraud Report
  • Download the 2020 Chargeback and Representment Report
  • Download the 2020 Merchant Fraud Journal Vendor Guide
  • Download the 2021 Fraud Trends Report
  • Download the 2022 Fraud Trends Report
  • Download the 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue Report
  • Download the MFJ 2022 Customer Experience Report
  • Download the MFJ ATO in Retail Report
  • Home
  • Job Dashboard
  • Join The Merchant Fraud Journal Community
  • Merchant Fraud Journal Advertising Agreement
  • MFJ Fraud Trends Report Giveaway
  • News
  • Post a Job
  • Privacy Policy
  • Resources
    • 2020 Chargeback Representment Guide for Merchants
    • 2020 Vendor Guide
    • 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue
    • Addressing Payment Fraud and the Customer Experience in 2022
    • Associations and Non-Profits
    • ATO Fraud In Retail Report
    • Balancing Customer Experience and Fraud Prevention: What’s the Secret?
    • Digital Trust & Safety: Combating the Evolving Complexities of Payment Fraud
    • eCommerce Fraud Reports
    • eCommerce Fraud Webinars
    • Fraud Prevention Training and Certifications
    • Jobs Board
    • Merchant Fraud Journal’s Fraud Trends 2020 Report
    • Merchant Fraud Journal’s Fraud Trends 2021 Report
    • Merchant Fraud Journal’s Fraud Trends 2022 Report
    • MFJ’s 2022 Customer Experience Report
    • Podcasts
    • Prevent High-Velocity Fraud Attacks During the 2021 Holiday Season
    • Vendor Directory
    • Webinar – Addressing Payment Fraud and the Customer Experience in 2022
    • Webinar – Mitigating Fraud and Risk on the ACH Network
    • Win January Chargeback Disputes
  • Subscribed
  • Terms and Conditions

© 2021 Payments Media Solutions Canada Inc.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
[class^="wpforms-"]
[class^="wpforms-"]