Credit card skimming – the use of hardware or software to steal credit card details – has long been a problem for retailers and the credit card industry.

Whether criminals attach physical skimming machines to ATMs or inject skimming software into eCommerce applications, skimming hurts customers and retailers alike. But a recent wave of targeted skimming attacks by the Magecart criminal group and others increases the stakes for retailers.

Online retailers generally use third-party payment processors when taking credit card payments. Credit card details are not kept in the store’s database so they can’t be stolen, even if the site is compromised. Skimming software uses JavaScript running on payment pages to send data to servers under the control of criminals immediately after it has been entered. Once the malicious code is injected, this type of attack is difficult to mitigate.

Magecart’s skimming software has stolen hundreds of thousands of numbers across several major campaigns. In September, British Airways revealed that the details of 380,000 customers had been stolen, including personal and payment information. Ticketmaster’s customers were the targets of a similar attack. Security researcher Willem de Groot recently reported that 8,000 Magento stores were running the skimming software.

How Is Skimming Software Injected Into eCommerce Stores?

Skimming software is a small snippet of JavaScript that gathers the content of a webform and sends it to a server the criminals’ control. The code is not complex or sophisticated; the real problem criminals face is getting their code onto eCommerce stores so that it is served to customers. Several vectors are used, depending on the target.

Known vulnerabilities

Criminals often exploit known vulnerabilities to compromise eCommerce stores. Magento’s spokesperson says that almost all of the infected sites hadn’t been patched or updated correctly.

Brute-force attacks

Researcher Willem de Groot believes that most of the skimmers were injected via compromised accounts on eCommerce sites. The attackers use bots to guess usernames and passwords until they hit on the right combination.

Supply chain attacks

Instead of targeting eCommerce stores directly, criminals may focus on software that is popular with the target group. A recent example is the compromise of Feedify, a push notification service for the web. Retailers use Feedify by embedding the service’s JavaScript on their pages. Criminals compromised Feedify’s infrastructure, inserted malicious code into the Feedify library, and thereby onto eCommerce stores that load the library.

Targeted attacks

For high-value victims such as British Airways, the criminals create sophisticated strategies with dedicated infrastructure and custom software.

Targeted attacks may involve phishing and other social engineering strategies which cannot be defeated with simple security precautions, but the majority of attacks against Magento and WooCommerce stores leverage vulnerabilities that are easily mitigated.

  • Update and patch. eCommerce stores are almost always compromised because they have not been patched with security fixes and updated to recent versions. If a store is not kept up-to-date, it is only a matter of time before it is compromised.
  • Use two-factor authentication on admin accounts. In an ideal world, store administrators would choose long and random passwords that can’t be guessed by brute-force bots. We don’t live in an ideal world, but two-factor authentication removes some risk by insisting on a second, harder-to-guess factor.
  • Monitor security news and software vendors. The news of Feedify’s compromise was widely reported. Magento maintains a Security Center with regular updates. There are dozens of sources for security alerts about WordPress and WooCommerce. With tools such as Google Alerts, you can track news about the software you use so that you don’t miss important security alerts.

The massive scale of skimming attacks against eCommerce in recent months is something that all retailers should be worried about, but with a few security best practices, the chances of being infected by skimming malware is low. eCommerce businesses without the expertise to secure their site against skimming, should get professional help and use managed eCommerce hosting that will take care of basic security precautions.

Graeme Caldwell

Writer and Content Marketer at Nexcess
Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured on top publications across the net, from TechCrunch to TemplateMonster. For more content, visit the Nexcess blog and give them a follow at @nexcess.