The US Federal Bureau of Investigation issued today a warning for the US private sector about e-skimming attacks, also known as web skimming, or Magecart attacks.
E-skimming attacks happen following a simple pattern: (1) hackers gain access to a company’s online store; (2) hackers hide malicious code on the company’s website; (3) the code collects payment card information from users while they’re making purchases on the infected site.
These types of attacks have been happening since 2016, but they’ve intensified during the last two years, in 2018 and 2019, and have become a problem that neither end-users, companies, and government agencies can ignore anymore.
Initially, these attacks were carried out by exploiting vulnerabilities in open-source e-shopping platforms, with Magento being the favorite target.
However, over the past two years, hackers have greatly diversified their attack methodology, and any online store is now susceptible to attacks, regardless if it runs on top of an open-source platform like Magento, or a cloud-hosted service.
Among the exploitation scenarios that have been observed, and which led to an e-skimming incident, we list:
- Hacking a third-party company that provides widgets that load on online stores (tech support widgets, EU cookie compliance, etc). In this scenario, the malicious code is loaded via the hacked third-party service.
- Placing the malicious code inside a company’s cloud hosting account that has been left open to outsiders, with “write” privileges. In this case, the attacker effectively modifies a site’s source code because the company forgot to secure an AWS bucket with the proper permissions.
- Hacking online store platforms and putting the code inside thousands of stores at a time.
- Hacking or phishing a store’s admin account and placing the e-skimming code inside the online store using this compromised and high-privileged account.
In the most recent report detailing e-skimming attacks, published at the start of the month, cyber-security firm RiskIQ said it observed this type of malicious code on more than 18,000 domains.
Some of these attacks are carried out by unsophisticated hacker groups using e-skimming toolkits bought from online hacking forums, but other attacks are the work of experienced and long-lived criminal groups, involved in many other types of cyber-crime activities.
Now, part of the yearly Security Awareness Month, the FBI is urging companies to take note of this new breed of attacks and put security measures in place to protect end-users.
“This warning is specifically targeted to small and medium-sized businesses and government agencies that take credit card payments online,” the FBI said.
Together with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI is recommending that companies and government agencies:
From a user perspective, there’s not that much that they can do to detect or prevent an e-skimming attack.
One solution is to use an antivirus product, but not all are kept up-to-date with the latest lists of domains that hackers are using for their attacks. Antivirus products may be able to detect a one-day-old compromised site, but they’re not able to detect recently hacked sites, so there’s always a small window of time during which users can have their data stolen, even if they use antivirus products.
Another solution is that end-users sign-up for a “virtual card” service. These are online payment solutions where users get a one-time payment card number they can use for one transaction only.
Even if the card number is used on a compromised site, once the transaction is completed, the card number expires, and hackers won’t be able to use it afterward. The downside is that “virtual card” services aren’t always available in all countries around the globe, and not all users will be able to get one.
For the time being, e-skimming attacks will remain one of today’s top threats, with no single silver bullet solution to either detect or stop these attacks.
As the FBI and DHS CISA suggest, the easier way to prevent this is to block hackers from gaining access to sites in the first place, rather than dealing with detecting ongoing attacks.