Online web skimming attacks continue to increase. This kind of eCommerce fraud attack works by fraudsters recording the information customers put into fake online payment forms. Stolen data includes credit card details, personal identifying information like names and addresses, and potentially even highly sensitive information like social security and passport numbers.
This kind of data theft does not directly hurt merchants. However, that doesn’t mean they shouldn’t take it very seriously. If the media pinpoints a merchant’s domain as a conduit for a skimming attack, it often does immense damage to the brand’s reputation. Sellers of commoditized goods should be especially wary. Customers may choose to avoid your shop in favor of competitors if they perceive your security to be lax and your site unsafe.
And because the eCommerce ecosystem continues to exponentially grow around the world, fraudsters increasingly take advantage of vulnerabilities. Web skimming attacks continue to plague online stores at both the SMB and enterprise level. Yet despite the already large number of high profile fraud attacks, the trend continues. Fraudsters find new success every day.
Online web skimming attacks work in a three stage process.
Stage 1: Gain (Undetected) Access to Site User Information
Online web skimming attacks start with a fraudster planting a skimming code. These codes are usually a piece of javascript. They are short and look very innocent, often mimicking legitimate processes and operations developers use to create eCommerce websites.
The technical, back-end nature of skimming codes explains why top CNP fraud prevention solutions can’t detect this kind of attack. Merchants need to pay careful attention to see what tactics are in vogue and use that information to do more to protect their own assets.
In addition, skimming works because fraudsters are increasingly adept at shrouding their tactics in a veil of user-facing legitimacy. A skilled hacker will make it impossible for customers to detect. Merchants cannot rely on chatter about user experiences to alert them to a problem.
In general, fraudsters gain access to website information in two ways:
- Direct hacking. Fraudsters place the skimming code directly on the website. One method to accomplish this is a brute-force attack. A brute-force attack automates login credentials until it finds the correct combination to access a company account with administrator permissions. A second method is to exploit known software vulnerabilities, known as zero-day vulnerabilities.
- Supply chain attacks. Fraudsters infect a single vendor that offers services used by a large number of eCommerce stores. For example, a successful attack against online advertising platform Adverline delivered the Magecart skimming code to hundreds of client vendors.
Stage 2: Collect Sensitive Data from Site Users
Once a fraudster gains access, they use it to steal personal data from site users. A variety of tactics exist to accomplish this. But two are very common because they give direct access to verified, accurate data:
- Fake forms. Hackers “hijack” the forms site users use to make a payment. When the user sends the form to the merchant, the data is also transferred to the fraudster’s servers. For example, a shopping cart form that requests the name, address, credit card number, CVV number, and email address will send a fraudster data they can easily use to make fraudulent purchases themselves, or sell on the dark web. Crucially, the form still completes the transaction, with zero friction in the customer experience. It’s estimated at least 4,800 online forms were targeted “formjacked” in 2018.
- Keylogging. Hackers record the keyboard strokes made by a user. When a user fills out a form, the fraudster can see which keys they pressed to enter their login credentials. This way, even if the merchant successfully encrypts data, the fraudster still gains access to passwords, credit card numbers, and any other inputed information.
Stage 3: Store the Stolen Data
Finally, fraudsters must store the data they steal. Nothing can be done by merchants at the stage of the process. However, there is at least one very important reason to conceptualize it: the information is commonly sent to a proxied domain.
The proxy domain setup is another way fraudsters hide their tracks and keep their online web skimming attacks hidden from merchants. It’s common for the domain used to mimic the legitimate site. This tactic played a role in a highly successful skimming attack on the site of British Airways that lasted three weeks and compromised 380,000 users.
The Best Way to Protect Against Online Web Skimming Attacks
Skimming attacks continue to succeed because merchants remain ill-equipped to prevent them. Unlike detecting native account takeover attacks against in-house assets, it’s tempting to have less urgency about user-facing damage. But it should not be. After the British Airways skimming attack, CEO Alex Cruz was forced to go on a mea culpa tour apologizing for the damage caused to customers.
To avoid that, merchants should do whatever they can to secure their API calls. In addition, they should simply pay attention to their systems. Fraudsters do all they can to remain in the shadows; the best way to stop their skimming attacks is to constantly shine light in all of the places they hide.