We recently updated our systems. If you’re having trouble or something isn’t working quite right, please tell us about it.

Digital skimming — an evolving and adaptive threat

Learn how to protect your assets

Gwynne Leach | February/March 2020 Footnote

Editor's note: Updated January 31, 2020

In common language, digital skimming is the theft of information during an online interaction.

Traditionally, this only included e-commerce transactions, but it has evolved to also include login credential collection. The information thieves steal via skimming include usernames, passwords, security questions, card holder names, credit card numbers, expiration dates and credit card security codes. Basically, all personal information has value on the dark web.

As business and personal lives become more and more dependent upon online interaction, the threat surface for falling victim to skimming attacks is also growing. With so much to gain financially, cybercriminals are highly motivated and have become increasingly organized to better steal our information.

For these reasons, it is imperative that all businesses and individuals take steps to protect themselves in the online world.

The evolution of skimming

Skimmers were first reported in 2002 as physical devices inserted into point-of-sale (POS) appliances that copied information from credit card magnetic strips when swiped. These early devices required physical access to the card scanner to install and then later to exfiltrate the stored data. These early devices were highly risky and challenging for thieves and, therefore, presented a small overall threat.

The next generation of skimming was the electronic hacking into POS systems (rather than physically installing a skimming device) and the digital exfiltration of the stolen information. Famous examples of this type of theft are the Target and Home Depot breaches of 2013 and 2014, respectively, where malicious code was installed by hackers on to the card readers at retail locations. The malicious code copied transaction information as the POS system captured it and sent it back to the criminals.

Consumer retail behavior has evolved to be increasingly online, and the skimming threat has adapted to more efficiently steal consumer data. Modern skimmers steal data from online retailers through malware that skims the data as the consumer enters it into an online form. These are called card-not-present (CNP) attacks. It’s the same concept as the original physical card reading skimming, but it’s stealing data online rather than through a POS device. The theft is accomplished by injecting small malicious code onto retail checkout webpages. Digital skimming has become so profitable and easy to perpetrate that it’s estimated there are more than a dozen active and organized cybercriminal enterprises currently conducting digital skimming attacks.

The ease of the crime

One version of electronic skimming malicious code, Magecart, requires less than 20 lines of JavaScript on a retail website. Because the payload is so small, it is easy to hide among the rest of the website code. The code can be even further obscured via javascriptobfuscator.com, which renders the code unreadable to humans and prevents searching for common malicious code signatures.

In one of the first Magecart attacks in 2018, British Airways had approximately 500,000 customer names, email addresses, physical addresses, credit card numbers and security codes stolen by thieves during a two-week period. As a result of this breach, the United Kingdom Information Commissioner’s Office (ICO) levied a fine of $229 million, stating that British Airways failed to “look after” the personal data with which it was entrusted.

Recently, Visa USA issued a security alert on a new JavaScript-based skimmer, which they have named Pipka. This threat offers criminals several advantages over previous skimming malware. First, it allows threat actors to configure which form fields to exfiltrate, such as payment account number. In addition, it checks to see if the string was previously sent so that duplicate data is not sent. Finally, and most interestingly dangerous, Pipka removes itself from the HTML code following successful execution. This is new anti-forensic behavior that has never been seen before in JavaScript skimmers; it will make it very difficult for companies to know if their site has been compromised.

Although the malicious code is very small, hard to detect and readily available, administrative access to the website’s source code is still required to add the JavaScript. This means simply that, although this is a very concerning threat, normal and standard security practices are an effective defensive strategy.

The education of the defenders

Electronic skimmers require access to the website source code for initial installation. Companies who host retail payment solutions or host other sensitive information, like tax-related material, should follow security best practices to harden against these attacks. Some best practices include:
  • Limit administrative access to e-commerce websites and network infrastructure.
  • Use strong system and website administration passwords (use nonwords that contain numbers and special characters, are more than eight characters long and do not repeat characters) and change network device default passwords.
  • Configure firewall policies to restrict unnecessary access (deny all, whitelist).
  • Regular vulnerability scans for e-commerce sites (examples include Unmask Parasites, MageReport, WPScan or ManageEngine Vulnerability Manager Plus).
  • Use Content Security Policy (CSP) standards when developing e-commerce sites (this is configured in the website code).
  • Install all system and device patches and upgrades as they become available.
  • Use an additional email security solution beyond what is natively included in business email products.
  • Use a behavior- and signature-based endpoint-protection solution (anti-virus/anti-malware).
  • Educate employees regarding common fraud and social engineering practices, including how to recognize suspicious emails. Employee training should include an initial awareness assessment, followed by targeted training and finally a simulated phishing campaign.
  • Consumers can mitigate their risk in several ways, including:
  • Using browser plugins, such as NoScript, that limit sites running JavaScript without permissions.
  • Only shopping trusted sites (trust certificates/https).
  • Continual monitoring of account activity to ensure only authorized charges are posting.
  • Using firewall rules and a trusted VPN (virtual private network) connection to prevent data exfiltration to untrusted sites.

The process of the rebound

When responding to a data breach, all the experts agree that the time to plan for a response is before it happens. The plan should be both actionable and comprehensive. It should contain all the steps that must be executed following an incident, as well as the role and person who will take the action.

There are many detailed documents and guidelines for how to create an incident response plan. Companies should find one that is appropriate for their industry and compliance requirements. Once created, the incident response plan should be communicated throughout the organization and practiced regularly — like a fire drill.

Cyber insurance is a tool that businesses could and can use to mitigate the risks of cyber breach and digital skimming. However, cyber insurance is not a cure all panacea that permits a business to avoid taking appropriate steps to protect themselves from all cybercrime. There is a wide variety of coverage across policies, but nearly all will include a prudent person clause that excludes damages caused through “failure to follow minimum required practices.” Additional exclusions may include acts of cyber warfare, conduct by internal actors, and damages that result from fraud through social engineering.

The future of the skim

The full scope and scale of digital skimming is not yet fully known. It is certainly an active threat in the e-commerce landscape, and the resulting cost of loss and damages will likely exceed the previous traditional point-of-sale skimming. It is assured that cybercriminal behavior will continue to mutate and adapt in innovative ways to overcome current-day security measures.

It is not enough to remain vigilant; we must also innovate our security protections and cyber solutions. There will never be a single and complete solution. Our protection must be as varied and as multifaceted as the threats we face. To defend against the tremendous quantity and variety of cyber-attacks, cyber defense must be layered and deep.

Gwynne Leach is a manager of operations at Ostra, which provides cyber security solutions to small and medium-sized businesses. She has a degree in cyber security and has worked for both small business and Fortune 100 companies. You may reach her at Gwynne@ostra.net.