What Is Digital Skimming?
Often called online card skimming, a digital skimming attack steals credit card or payment data from your web visitors. Bank ATMs and gas station/retail point of sale systems have experienced physical skimming where the attackers install stealthy skimming devices and webcams to steal credit/debit card numbers and pins. Digital skimmers do the same thing on webpages and hijack the path to the payment pages or any forms and present their own payment page to unsuspecting users. Formjacking was the term originally used when hackers modified forms on the web servers and collected PII data.
Magecart: the Most High Profile Digital Skimming Attack
Magecart is a style of digital skimming attack on web and mobile applications. In the British Airways attack, one of the Magecart group of attackers modified an existing script to skim customer payment information for theft unbeknownst to the users or British Airways. Website operators have no visibility into what happens inside their users’ browsers when their client-side code is changed.
The injected code waits for users to fill out forms with their credit card numbers or other personal information. The information is transmitted directly from the user’s browser/device to a site controlled by the attacker. Once they’ve stolen this data, cybercriminals are free to go shopping on the users’ accounts or resell the stolen information on the dark web.
A Growing Menace to E-Commerce
As online shopping continues to grow, so do cybercrimes. Within a 12-month period from 2017 to 2018 , Magecart, a loosely organized group of cybercriminals, breached more than 12 third-party software vendors. For today’s e-commerce companies, digital skimming is the new normal. In 2019, British Airways paid $230 million in regulatory fines - all stemming from a Magecart attack in 2017.
For hackers, this type of attack brings in big profits with very little effort. In one reported case, the attack was as simple as a single line of HTML that loaded a malicious script used to carry out an attack on thousands of websites.
The majority of digital skimming attacks target third-party content management systems and online shopping cart systems. Merchants rely on them to make their e-commerce sites more seamless and user-friendly. But these third-party tools are under constant attack by digital skimmers looking to exploit their security vulnerabilities.
To avoid detection, attackers will hide malicious code inside good code. Merchants and customers might be unaware of the code change or the breach for days or even months in some cases. As of Oct 2019, none of the Magecart hackers have been caught.
How Are Companies Fighting Digital Skimming and Magecart Attacks?
Sadly, there are no good options available if you choose to rely on existing security solutions like Web Application Firewalls. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of the Magecart attacks. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration/continuous deployment cycles. Content security policies (CSP) are also the first resort for many web application security professionals. CSPs, originally used for protection against cross-site script execution, need a lot of tuning. CSPs don’t provide any visibility into first- or third-party scripts, site activity and doesn’t cover any new and sophisticated attacks.