RH-ISAC BLOG

The Threat of Online Skimming to Payment Security

Author: PCI Security Standards Council

Below we cover basic questions with PCI SSC Chief Technology Officer Troy Leach about a newly released bulletin by the PCI SSC and RH-ISAC on the topic of digital skimming and how to detect and prevent this dangerous threat. For more information about best practices for detection and prevention, review the full bulletin here.

Q.  What is the threat bulletin that the PCI SSC has issued?

A.  Based on feedback from payment industry stakeholders, the PCI SSC felt now was the time to issue a bulletin about the emerging threat of online skimming.  What we have developed is a bulletin, in cooperation with our friends at the Retail & Hospitality ISAC, which sounds the alarm on this threat.  Our goal is to educate the marketplace about what the threat is and how best to detect and prevent this type of attack.

Q.  What is digital skimming?  Is that the same thing as the Magecart attack?

A. Web-based or Online Skimming attacks are attacks that infect e-commerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers and are very difficult to detect. Once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumer being aware that the information has been compromised.

A term sometimes used in the press for this threat is Magecart.  Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.

 Q. So how exactly do these attacks work?

A.  Without the proper controls in place, these attacks can be very difficult to detect.  That is what makes them so dangerous.  Threat actors use various methods, which include exploiting vulnerable plugins, brute force login attempts (credential stuffing), phishing and other social engineering techniques.  All in an attempt to gain access and inject malicious code.  These attacks are either directly into e-commerce websites or often into a third-party’s software libraries that merchants rely upon.  These service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them. 

Examples of these attacks to third-party applications and services include advertising scripts, live chat functions, and customer rating features. Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites. Because these third-party functions are typically used by multiple e-commerce sites, the compromise of one of these functions can allow an attacker to compromise many websites at the same time through mass distribution of the malicious JavaScript.

The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.

Q.  Who is most at risk of digital skimming attacks?  

A.  Any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. Attacks target e-commerce websites, third-party service providers, and companies providing applications used on websites. Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets, and exploiting vulnerabilities in unpatched website software.

Additionally, the threat is persistent.  One in five Magecart-infected stores are re-infected within days, according to a report by security researcher Willem de Groot.[i] For that reason, it is crucial that affected systems be cleaned and that underlying vulnerabilities be patched or mitigated. If an underlying vulnerability is not addressed, or if some of the attacker’s code remains on the system, it could lead to reinfection.

Q.  What are some detection best practices to detect these threats before they can cause damage?

A.  The ability to detect these threats before they can cause damage is significantly important. Some ways to detect this type of attack are:

  • Use of vulnerability security assessment tools to test web applications for vulnerabilities
  • Use of file-integrity monitoring or change-detection software
  • Performing internal and external network vulnerability scans
  • Performing period penetration testing to identify security weaknesses

Q.  What are some prevention best practices to stop this attack form happening in the first place? 

A.  The best protection to mitigate against these attacks is to adopt a layered defense that includes patching operating systems and software with the latest security updates. Some recommendations to prevent these type of attacks include:  

  • Implement malware protection and keep up to date
  • Apply security patches for all software
  • Restrict access to only what is absolutely needed and deny all other access by default 
  • Use strong authentication for all access to system components

For more information about best practices for detection and prevention, review our full bulletin at https://rhisac.org/wp-content/uploads/PCISSC_Magecart_Bulletin_RHISAC_FINAL.pdf


[i] Catalin Cimpanu, one in five Magecart-infected stores get reinfected within days, November 15, 2018 — 06:30 GMT, https://www.zdnet.com/article/one-in-five-magecart-infected-stores-get-reinfected-within-days/