As we continue to live in a digital-first world, we routinely entrust websites with our sensitive information. From online shopping to banking, and even social networking, our personal and financial data is constantly in motion across the internet. However, lurking behind the scenes are cybercriminals ready to exploit these websites and steal our valuable data.
One particularly insidious form of this malicious behaviour is E-Skimming, also known as digital skimming or online skimming. This involves cybercriminals injecting malicious code into a website, often targeting payment processing pages. This code captures the payment details and other personal information entered by users and transmits it to the attackers.
In this blog we delve deeper into what an e-skimming attack entails, breaking down how they are executed, how to spot an attack and the steps you can take in order to protect you and your organisation from future e-skimming attacks.
The Definition of an E-Skimming Attack
E-skimming attacks also known as Magecart attacks or web skimming, is a cyber-attack where hackers inject malicious code into a webpage to steal sensitive data input by users into a website form.
Today, the most common e-skimming attacks are associated with stealing payment card information during the checkout process. These attacks can result in substantial financial losses and can negatively affect brand reputation.
How Does an E-Skimming Attack Work?
An E-skimming attack involves the following 4 stages:
- Exfiltration
- Infection
- Malicious Code Injection
- Data Collection
1. Infection
Attackers gain access to the targeted website through vulnerabilities such as outdated software, weak passwords, or phishing attacks targeting website administrators.
2. Malicious Code Injection
Once they have access to the site, they inject malicious JavaScript code into the website, specifically targeting areas where sensitive data is being inputted, such as the payment processing page.
3. Data Collection
When customers enter their personal details such as payment card details into the website form, the malicious code captures this information in real time.
4. Exfiltration
The stolen data is then sent to a server controlled by the attackers, where it can be sold on the black market or used for fraudulent activities.
How to Spot the Signs of an E-Skimming Attack?
If you’re worried that you’ve fallen victim to an E-skimming attack, we recommend looking out for the following 7 signs:
- Unexpected Changes in Website Code
- Unusual Network Traffic
- Customer Complaints
- Unfamiliar Files on the Server
- Alerts from Security Tools
- Performance Problems
- Changes in Web Traffic Patterns
1. Unexpected Changes in Website Code
Look out for unexpected or unexplained changes to JavaScript or HTML code on the payment page, as well as new or unfamiliar scripts and external resources being loaded on the payment page.
2. Unusual Network Traffic
Monitor the website traffic for outbound traffic to unknown or suspicious domains, especially during payment transactions. Be aware of increased or unusual traffic patterns that don’t align with normal website analytics.
3. Customer Complaints
Investigate any reports from customers about unauthorised transactions made shortly after making a purchase from your website. Another sign to watch out for is the pattern of multiple customers reporting similar issues with their payment cards.
4. Unfamiliar Files on the Server
The detection of unfamiliar or suspicious files, especially in directories related to the website’s checkout or payment processing pages, could be a key indication of an e-skimming attack.
5. Alerts from Security Tools
Look into notifications received from web application firewalls (WAFs), intrusion detection systems (IDS), or any other security tools which are about suspicious activities or code injections.
6. Performance Problems
An e-skimming attack could be identified from unexpected slowdowns or performance issues on website pages, such as the checkout pages, due to the additional load from malicious scripts.
7. Changes in Web Traffic Patterns
Keep watch for anomalies in web traffic patterns, such as spikes in traffic to certain pages or external servers during the checkout process.
Who is the Target of an E-Skimming Attack?
E-skimming attacks primarily target online shoppers during the checkout process. Identity thieves exploit this group by capturing credit card information when users input it into website forms. Therefore, anyone making an online purchase is potentially at risk.
Additionally, e-skimming attacks significantly impact businesses through financial losses from chargebacks, refunds, and the costs of investigation and remediation of the attack. These attacks can also damage a business’s reputation, leading to a loss of customer trust and attracting negative publicity. Businesses may face legal and regulatory consequences, including penalties for non-compliance with data protection laws and potential lawsuits from affected customers.
Organisations will also incur operational disruptions due to site downtime during security fixes and the implementation of stronger security measures. Lastly, businesses experience an increased customer service burden as they manage the surge in inquiries and complaints from affected customers.
What Can Your Organisation Do to Protect Against E-Skimming?
It is essential organisations take preventative measures to protect against attackers looking to perform an e-skimming attack. By adopting the recommended steps below and implementing a strong set of security measures, businesses can better protect themselves against future attacks.
Performing Regular Updates
Keeping all software up to date, including plugins and third-party integrations.
Security Audits
Conducting regular security audits and vulnerability assessments.
WAF (Web Application Firewall)
Implementing a WAF to monitor and filter malicious activity.
Segmentation
Segmenting the network to limit access to critical systems and data.
Monitoring
Continuous monitoring for unusual activity and anomalies in web traffic.
What to Do if You Have Fallen Victim to an E-Skimming Attack?
It is important to have an organisational plan in place if your business becomes subject to an e-skimming attack. A plan enables your security teams to take action immediately and reduce further damage. See our recommendations below:
Source Identification
Determine the origin of the skimming code. Using this information, you can then determine its access point, investigate whether it comes from a third-party service, network compromise, or other sources.
Document the Malicious Code
Save a copy of the skimming code or the domain where it was injected. This evidence will be valuable for further investigations.
Change Credentials
Update any passwords that may have been compromised during the attack.
Report the Attack
Get in touch with the NCSC and report the attack.
In Summary
It is crucial for organisations to be vigilant against e-skimming attacks as if a customer suffers a significant financial loss, it can harm an organisation’s reputation. Moreover, organisations are legally obligated to protect user data and therefore failure to do so could result in fines or legal action if a customer suffers an e-skimming attack.
Additionally, the incident of an e-skimming attack can result in a loss of customer trust. When users perceive a website as unsafe, they avoid making purchases or sharing sensitive information, which has a huge negative impact on the business. To protect against these outcomes, businesses must allocate time to monitor and secure their systems against potential e-skimming attacks.
How CWSI Can Help
CWSI is your trusted cybersecurity partner, working with customers from a range of industries to help them stay safe and secure. CWSI’s expertise in Microsoft has earned us a spot in the exclusive Microsoft Intelligent Security Association (MISA) group since 2021.
We offer a range of services to help our customer protect themselves against the evolving threat landscape and our expertise has led us to acquire Microsoft Security Specialisations in: Identity and Access Management, Information Protection and Governance, and Threat Protection.
To learn about how we can help your business adopt a proactive security strategy to defend against cyber criminals, request a meeting with our security experts today via the form below.