fbpx
News
MasterCard Purchases Ethoca
News
Marriott CEO Testifies to Congress About 2018 Data Breach
News
Medical data breach may have exposed info about 600,000 Michigan patients
News
German Ecommerce Worth 58.8 Billion Euros in 2019
News
NJ Data Breaches Lead to Increased Focus on Cybersecurity
News
Worldnet Payments Enters Agreement with POSDATA
News
Marqeta Raises $250 Million Series E Funding
News
Doxo Offers Apple Pay Solutions
News
UK Banks Prevented More than £1.12b in Card Fraud in 2018
News
Verifi Launches Self-Service Chargeback Representment
News
One of the Biggest Data Breaches Ever Compromises Personal Info From Nearly 1 Billion Email Addresses
News
540 Million Facebook Accounts Exposed on Vulnerable AWS Servers
News
Facebook Changes Terms to Comply with European Commission Demands
News
Nethone Raises Over $1 Million to Develop Artificial Intelligence to Fight Chargebacks
News
Chargeback Gurus Enters the Finals of Dallas Business Journal Entrepreneur Contest
News
Terbium Labs Reveals the Dark Web’s “How To” Guide to Committing Ecommerce Fraud
News
Thales Finishes Acquisition of Digital Identity and Security Company Gemalto
News
Ecommerce Fraud Events: Airline & Travel Payments Summit 2019
News
McDonald’s App Hacked In $2,000 ATO Fraud Attack
News
IntSights Releases New Report On the Biggest Fraud Prevention Challenges Facing Banking & Financial Services
News
Online Advertising Fraud Down Nearly $1 Billion Dollars, According to New Association of National Advertisers Report
News
Synthetic Identity Fraud: TransUnion Announces New Rapid Default Model
News
PrismWeb Fraud Attack: Hackers Steal Student Payment Data from 197 American & Canadian Universities
News
Checkout.com Raises $230m Series A Round of Funding
News
Barracuda Networks Releases New ATO Report
News
2019 AFP Payments Fraud and Control Survey Released
News
Sextortion Email Scam Nets Fraudsters $1 million in Bitcoin
News
IBM X-Force Threat Intelligence Index 2019 Released
News
Avanan Releases Global Phish Report 2019
News
EdgeWave releases new Report: “How to Fight the Phishing Epidemic and Win”
News
RSA Q1 2019 Fraud Report Released
News
BalBix Releases New Report: How to Use AI to Tackle Cyber-Security Challenges
News
PayPal Commerce Platform Launches
News
ECBSV SSN Verification Pilot Program Begins
News
Zelle Scam Cleans Out the Bank Accounts of Unsuspecting Victims
News
Google Pay PayPal Connection Expanded
News
Data Breach Exposes Secrets of Ford, TD Bank
News
Visa Acquires Verifi
News
Orvibo IoT Devices Suffer Massive Data Breach
News
ICO Fines British Airways £183.39m for Data Breach
News
PayPal Xoom Europe Launches
News
Mnuchin: Facebook Libra “Threat”
News
FinCEN Business Email Compromise Report Released
News
Malwarebytes Labs Cybercrime Tactics and Techniques Q1 2019 Report Released
News
Fake Google Domains Target Magento Users
News
Capital One Data Breach Hits 100 Million US Customers
News
Pearson Data Breach Compromises 100,000+ Students
News
Capital One Data Breach Class Action Lawsuit Initiated
News
NormShield Releases State of Financial Phishing Q1 2019
Sunday, August 18, 2019
News
MasterCard Purchases Ethoca
News
Marriott CEO Testifies to Congress About 2018 Data Breach
News
Medical data breach may have exposed info about 600,000 Michigan patients
News
German Ecommerce Worth 58.8 Billion Euros in 2019
News
NJ Data Breaches Lead to Increased Focus on Cybersecurity
News
Worldnet Payments Enters Agreement with POSDATA
News
Marqeta Raises $250 Million Series E Funding
News
Doxo Offers Apple Pay Solutions
News
UK Banks Prevented More than £1.12b in Card Fraud in 2018
News
Verifi Launches Self-Service Chargeback Representment
News
One of the Biggest Data Breaches Ever Compromises Personal Info From Nearly 1 Billion Email Addresses
News
540 Million Facebook Accounts Exposed on Vulnerable AWS Servers
News
Facebook Changes Terms to Comply with European Commission Demands
News
Nethone Raises Over $1 Million to Develop Artificial Intelligence to Fight Chargebacks
News
Chargeback Gurus Enters the Finals of Dallas Business Journal Entrepreneur Contest
News
Terbium Labs Reveals the Dark Web’s “How To” Guide to Committing Ecommerce Fraud
News
Thales Finishes Acquisition of Digital Identity and Security Company Gemalto
News
Ecommerce Fraud Events: Airline & Travel Payments Summit 2019
News
McDonald’s App Hacked In $2,000 ATO Fraud Attack
News
IntSights Releases New Report On the Biggest Fraud Prevention Challenges Facing Banking & Financial Services
News
Online Advertising Fraud Down Nearly $1 Billion Dollars, According to New Association of National Advertisers Report
News
Synthetic Identity Fraud: TransUnion Announces New Rapid Default Model
News
PrismWeb Fraud Attack: Hackers Steal Student Payment Data from 197 American & Canadian Universities
News
Checkout.com Raises $230m Series A Round of Funding
News
Barracuda Networks Releases New ATO Report
News
2019 AFP Payments Fraud and Control Survey Released
News
Sextortion Email Scam Nets Fraudsters $1 million in Bitcoin
News
IBM X-Force Threat Intelligence Index 2019 Released
News
Avanan Releases Global Phish Report 2019
News
EdgeWave releases new Report: “How to Fight the Phishing Epidemic and Win”
News
RSA Q1 2019 Fraud Report Released
News
BalBix Releases New Report: How to Use AI to Tackle Cyber-Security Challenges
News
PayPal Commerce Platform Launches
News
ECBSV SSN Verification Pilot Program Begins
News
Zelle Scam Cleans Out the Bank Accounts of Unsuspecting Victims
News
Google Pay PayPal Connection Expanded
News
Data Breach Exposes Secrets of Ford, TD Bank
News
Visa Acquires Verifi
News
Orvibo IoT Devices Suffer Massive Data Breach
News
ICO Fines British Airways £183.39m for Data Breach
News
PayPal Xoom Europe Launches
News
Mnuchin: Facebook Libra “Threat”
News
FinCEN Business Email Compromise Report Released
News
Malwarebytes Labs Cybercrime Tactics and Techniques Q1 2019 Report Released
News
Fake Google Domains Target Magento Users
News
Capital One Data Breach Hits 100 Million US Customers
News
Pearson Data Breach Compromises 100,000+ Students
News
Capital One Data Breach Class Action Lawsuit Initiated
News
NormShield Releases State of Financial Phishing Q1 2019

Online web skimming attacks continue to increase. This kind of eCommerce fraud attack works by fraudsters recording the information customers put into fake online payment forms. Stolen data includes credit card details, personal identifying information like names and addresses, and potentially even highly sensitive information like social security and passport numbers.

This kind of data theft does not directly hurt merchants. However, that doesn’t mean they shouldn’t take it very seriously. If the media pinpoints a merchant’s domain as a conduit for a skimming attack, it often does immense damage to the brand’s reputation. Sellers of commoditized goods should be especially wary. Customers may choose to avoid your shop in favor of competitors if they perceive your security to be lax and your site unsafe.

And because the eCommerce ecosystem continues to exponentially grow around the world, fraudsters increasingly take advantage of vulnerabilities. Web skimming attacks continue to plague online stores at both the SMB and enterprise level. Yet despite the already large number of high profile fraud attacks, the trend continues. Fraudsters find new success every day.

Online web skimming attacks work in a three stage process.

Stage 1: Gain (Undetected) Access to Site User Information

Online web skimming attacks start with a fraudster planting a skimming code. These codes are usually a piece of javascript. They are short and look very innocent, often mimicking legitimate processes and operations developers use to create eCommerce websites.

The technical, back-end nature of skimming codes explains why top CNP fraud prevention solutions can’t detect this kind of attack. Merchants need to pay careful attention to see what tactics are in vogue and use that information to do more to protect their own assets.

In addition, skimming works because fraudsters are increasingly adept at shrouding their tactics in a veil of user-facing legitimacy. A skilled hacker will make it impossible for customers to detect. Merchants cannot rely on chatter about user experiences to alert them to a problem.

In general, fraudsters gain access to website information in two ways:

  • Direct hacking. Fraudsters place the skimming code directly on the website. One method to accomplish this is a brute-force attack. A brute-force attack automates login credentials until it finds the correct combination to access a company account with administrator permissions. A second method is to exploit known software vulnerabilities, known as zero-day vulnerabilities.
  • Supply chain attacks. Fraudsters infect a single vendor that offers services used by a large number of eCommerce stores. For example, a successful attack against online advertising platform Adverline delivered the Magecart skimming code to hundreds of client vendors.

Stage 2: Collect Sensitive Data from Site Users

Once a fraudster gains access, they use it to steal personal data from site users. A variety of tactics exist to accomplish this. But two are very common because they give direct access to verified, accurate data:

  • Fake forms. Hackers “hijack” the forms site users use to make a payment. When the user sends the form to the merchant, the data is also transferred to the fraudster’s servers. For example, a shopping cart form that requests the name, address, credit card number, CVV number, and email address will send a fraudster data they can easily use to make fraudulent purchases themselves, or sell on the dark web. Crucially, the form still completes the transaction, with zero friction in the customer experience. It’s estimated at least 4,800 online forms were targeted “formjacked” in 2018.
  • Keylogging. Hackers record the keyboard strokes made by a user. When a user fills out a form, the fraudster can see which keys they pressed to enter their login credentials. This way, even if the merchant successfully encrypts data, the fraudster still gains access to passwords, credit card numbers, and any other inputed information.

Stage 3: Store the Stolen Data

Finally, fraudsters must store the data they steal. Nothing can be done by merchants at the stage of the process. However, there is at least one very important reason to conceptualize it: the information is commonly sent to a proxied domain.

The proxy domain setup is another way fraudsters hide their tracks and keep their online web skimming attacks hidden from merchants. It’s common for the domain used to mimic the legitimate site. This tactic played a role in a highly successful skimming attack on the site of British Airways that lasted three weeks and compromised 380,000 users.

The Best Way to Protect Against Online Web Skimming Attacks

Skimming attacks continue to succeed because merchants remain ill-equipped to prevent them. Unlike detecting native account takeover attacks against in-house assets, it’s tempting to have less urgency about user-facing damage. But it should not be. After the British Airways skimming attack, CEO Alex Cruz was forced to go on a mea culpa tour apologizing for the damage caused to customers.

To avoid that, merchants should do whatever they can to secure their API calls. In addition, they should simply pay attention to their systems. Fraudsters do all they can to remain in the shadows; the best way to stop their skimming attacks is to constantly shine light in all of the places they hide.

Tags:

Related Article

No Related Article

Join our Community

join the community

Our Sponsors

Stay in Touch

LINKEDIN

YOUTUBE