PCI SSC and the U.S. Chamber of Commerce shares guidance and information on protecting against online skimming attacks in the face of the COVID-19 crisis. On this blog Troy Leach, Senior Vice President, Engagement Officer for the PCI Security Standards Council and Christopher Roberti, Senior Vice President, Cyber, Intelligence and Security Policy & Chief of Staff of the U.S. Chamber of Commerce discuss this important topic.
What kind of threats are lurking online related to the COVID-19 crisis?
Troy Leach: As the world adjusts to the ongoing COVID-19 crisis, the amount of online activity has increased dramatically as more and more people work and shop from home. This increased activity is the “new normal” for many people around the world. For cybercriminals, it represents a golden opportunity to take advantage of the global pandemic and attack during a time of vulnerability. It is important now more than ever to be aware of online scams and threats as they are increasing in volume and sophistication.
One type of attack that poses an ever-increasing threat is that of online skimming. According to security firm RiskIQ, their company has detected a 20 percent increase in online skimming activity in March compared to February. Online skimming has been a serious threat for years, but now increased ecommerce activity makes dealing with this threat even more urgent.
Read this article from Wired: Online Credit Card Skimmers Are Thriving During the Pandemic
What is digital skimming? Is that the same thing as the Magecart attack?
Troy Leach: Web-based or Online Skimming attacks are attacks that infect e-commerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers and are very difficult to detect. Once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumer being aware that the information has been compromised.
A term sometimes used in the press for this threat is Magecart. Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.
So how exactly do these attacks work?
Troy Leach: Without the proper controls in place, these attacks can be very difficult to detect. That is what makes them so dangerous. Threat actors use various methods, which include exploiting vulnerable plugins, brute force login attempts (credential stuffing), phishing and other social engineering techniques. All to gain access and inject malicious code. These attacks are either directly into e-commerce websites or often into a third-party’s software libraries that merchants rely upon. These service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.
Examples of these attacks to third-party applications and services include advertising scripts, live chat functions, and customer rating features. Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites. Because these third-party functions are typically used by multiple e-commerce sites, the compromise of one of these functions can allow an attacker to compromise many websites at the same time through mass distribution of the malicious JavaScript.
The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.
What businesses are at risk of this devious attack? Should small merchants care about this?
Christopher D. Roberti: Yes, any small merchants or online exchanges that do not have effective security controls in place are potentially vulnerable. Small businesses are no exception and might even be more at risk because they are especially vulnerable during the COVID-19 crisis. Many small merchants are working with reduced staff and do not have large IT departments or budgets to monitor for such threats. Many small merchants rely on payment security third-parties, some of whom have been demonstrated to be susceptible to this attack.
According to the 2019 Verizon Data Breach Report 43 percent of cyberattacks target small businesses. In fact, the Verizon report shows that cyberattacks on small businesses represent the largest share of all the attacks in the report. We, and government and industry experts, have observed over the past couple of weeks that advanced persistent threat actors and cybercriminals have significantly increased cyberattacks. We can expect this trend to continue for the foreseeable future. Many threat actors are using COVID-19 as a lure or theme in phishing campaigns or to spread malware. Other threat actors are leveraging known vulnerabilities in VPN products to attack remote access or teleworking infrastructure.
Who is most at risk of digital skimming attacks?
Troy Leach: Any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. Attacks target e-commerce websites, third-party service providers, and companies providing applications used on websites. Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets, and exploiting vulnerabilities in unpatched website software.
Additionally, the threat is persistent. One in five Magecart-infected stores are re-infected within days, according to a report by security researcher Willem de Groot. For that reason, it is crucial that affected systems be cleaned and that underlying vulnerabilities be patched or mitigated. If an underlying vulnerability is not addressed, or if some of the attacker’s code remains on the system, it could lead to reinfection.
What are some best practices to detect these threats before they can cause damage?
Troy Leach: The ability to detect these threats before they can cause damage is significantly important. Some ways to detect this type of attack are:
- Use of vulnerability security assessment tools to test web applications for vulnerabilities
- Use of file-integrity monitoring or change-detection software
- Performing internal and external network vulnerability scans
- Performing period penetration testing to identify security weaknesses
What are some prevention best practices to stop this attack form happening in the first place?
Troy Leach: Prevention begins with awareness of the threat for your organization and the third-party services you may rely upon. The best approach to mitigating against these attacks is to adopt a layered defense that includes regular patching of software and supporting systems with the latest security updates. Some additional recommendations to prevent these types of attacks include:
- Implement malware protection and keep up to date
- Restrict access to payment data and supporting environments to only what is necessary and deny all other access by default
- Ensure responsibilities with third-parties are well understood
- Use strong authentication for all access to system components
For more information about best practices for detection and prevention, review our full bulletin.
For information on COVID-19 related cybersecurity topics please visit the PCI Security Standards Council’s dedicated COVID-19 webpage.
What are some ways small merchants can learn more about cybersecurity in general and the threats they face?
Christopher D. Roberti: The coronavirus pandemic is affecting small businesses in a series of ways. Our members range from mom-and-pop shops and local chambers to leading industry associations and large corporations. From the loss of revenue to remote work to shifting supply chains to a dramatic shift to online operation, the COVID-19 pandemic has fast changed the ways we live our lives and businesses have are being forced to adapt.
Policy experts at the Chamber have been busy putting together guides and checklists for to help navigate the various loan programs available through the stimulus bill for small businesses. See below for a guide on each and how it can help you:
- Save Small Business Initiative
- Small Business Emergency Loan Guide (PPP)
- Small Business Economic Injury Disaster Loan (EIDL)
- COVID-19 Resource Center from the U.S. Chamber
The Chamber recently conducted a workshop on April 29th: Protecting Your Business from Cyber Threats. Visit the U.S. Chamber of Commerce website to view a replay of the workshop. To stay up to date on the most important news for business, the latest resources and guidance, and updates on the actions we are taking at the U.S. Chamber please visit the U.S. Chamber of Commerce Coronavirus Live Blog.
Resources to help you:
- Bulletin: The Threat of Online Skimming to Payment Security
- PCI SSC COVID-19 Webpage
- 8 Tips for Small Merchants: Protecting Payment Data During COVID-19
- U.S. Chamber of Commerce Coronavirus Live Blog
- U.S. Chamber of Commerce Internet Security Essentials for Business 2.0
