E-skimming is a type of attack involving the introduction of code onto a web page for the purpose of intercepting sensitive user information as the individual is entering the data into a web form. The type of information stolen in e-skimming attacks includes credit card data, social security numbers, bank account data, and other personally identifiable information (PII). The victims have no way of knowing that their information is being stolen, until that information is used by the hacker, for example, in an unauthorized online purchase.
E-skimming is also sometimes referred to digital skimming, data skimming or a Magecart attack.
How does e-skimming work?
Criminals introduce e-skimming code onto webpages by:
- Exploiting a known vulnerability on the website’s e-commerce platform.
- Exploiting a flaw present on a company’s payment card processing page.
- Adding malicious code to existing third- or fourth-party code (often JavaScript) that is used by the target website.
The skimming function is executed by the user’s browser, allowing it to steal sensitive information by recording the keystrokes the user types into the form fields. The stolen sensitive information is collected by the criminal and then sold on the dark web or used by the criminal to make fraudulent purchases.
Because e-commerce websites are made up of hundreds of thousands and sometimes millions of lines of code, it is fairly easy for criminals to hide malicious scripts. Many e-commerce sites also employ plug-ins, extensions, widgets, and other pieces of software to enhance the user experience. This software is often written in JavaScript, which is not designed with security in mind, making it easy to infiltrate the plug-in, extension, or widget and inject malicious skimming code.
Who is the target of e-skimming?
Businesses—Any organization that maintains a website that collects payment information and other types of sensitive user data is at risk of an e-skimming attack. Industries targeted include retail, entertainment, travel, utility companies, and third-party vendors (such as those working in online advertising or web analytics). The cyber criminals may also target user and administrative credentials in addition to financial or credit card information.
Consumers—Consumer PII, credit card, and financial data is the primary target of e-skimming. Every year millions of individuals become victims of e-skimming attacks.
What is the impact of an e-skimming attack?
Loss of Sensitive Customer Information—E-skimming attacks can involve the theft of multiple types of customer information, including credit card data and PII.
Profit loss—Previous e-skimming attacks have demonstrated that business profits will be impacted negatively due to reputation damage and loss of customer trust.
Regulatory and Compliance Issues—Government and industry regulations, such as the Payment Card Industry Data Security Standards (PCI DSS) and the General Data Protection Regulations (GDPR) can subject businesses to lawsuits and fines should business customers be affected by an e-skimming attack.
What can businesses do to protect against e-skimming?
Businesses can reduce the number and impact of e-skimming attacks by following these best practices:
Audit web assets: Inventory your web assets and know the type of data they hold.
Regularly scan the client side: Regularly conduct deep-dive scans into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.
Use automated monitoring and inspection: Monitoring and inspection activities are critical, but also time consuming if you don’t have an automated solution to regularly review client-side JavaScript code. A purpose-built solution that automates the process can be a fast and easy way to identify unauthorized script activity.
Maintain safe JavaScript libraries: Confirm the security of any external libraries by making sure they’re not on any blacklists. Regularly patch and update your libraries and avoid any dependence on third-party library sources. Businesses might also wish to consider acquiring technologies that deploy security permissions on JavaScript web applications to closely control the data that third- and fourth-party scripts can access and disseminate.
Deploy and maintain Content Security Policies: Generate tailored Content Security Policies and deploy them on your web applications. Then utilize purpose built technologies to easily monitor, manage, control versions, and continuously enhance your policies.
Be selective with plug-ins, widgets, extensions, and third-party scripts: These website enhancement tools and other third-party scripts can contain vulnerabilities or intentional malicious content. Be sure to only use tools third-party JavaScript from known and reputable sources.
Use secure software development practices: Apply software development best practices that aid in the detection and elimination of errors early in the application development process.
Move security to the left: Ensure security is part of the entire software development process—from beginning to end—and just doesn’t happen after a web application is built or installed on a system.