What Is Digital Skimming?
Digital skimming is a major cybersecurity threat to websites. Often called e-skimming or online card skimming, a digital skimming attack steals credit card information or payment card data from visitors to your online store. Retailers and banks have experienced physical skimming where the attackers install stealthy credit card skimmer devices to ATM machines or point-of-sale terminals to steal credit card or debit card numbers and PINs. Digital skimmers do the same thing on e-commerce websites and skim payment data from input fields on existing payment forms or hijack unsuspecting users to fake checkout pages. Formjacking was the term originally used when hackers modified forms on web servers and collected PII data which led to cybersecurity data breaches.
How Does Digital Skimming Work?
Magecart: the Most High Profile Digital Skimming Attack
The injected code waits for users to fill out forms with their credit card numbers or other customer data. The information is transmitted directly from the user’s browser/device to a site controlled by the attacker. Once they have stolen this data, cybercriminals are free to go shopping on the users’ accounts or resell the card information on the dark web.
A Growing Menace to E-Commerce
As online shopping continues to grow, so do cybercrimes and Magecart attacks. Within a 12-month period from 2017 to 2018, Magecart, a loosely organized group of cybercriminals, breached more than 12 third-party software vendors leading to supply chain attacks. For today’s e-commerce companies, digital skimming is the new normal. In 2019, British Airways was fined $230 million in regulatory penalties - all stemming from a Magecart attack in 2017.
The majority of digital skimming attacks target third-party content management systems and online shopping cart systems such as Magento. Merchants rely on them to make their e-commerce sites more seamless and user-friendly. But these third-party tools are under constant attack by digital skimmers looking to exploit their security vulnerabilities.
To avoid detection, attackers will hide malicious code inside good code. Merchants and customers might be unaware of the malware or the data breach for days or even months in some cases. As of October 2019, none of the cybercriminals responsible for Magecart attacks have been caught.
How Are Companies Fighting Digital Skimming and Magecart Attacks?
Traditional cybersecurity solutions like Web Application Firewalls are not enough to protect the client-side against digital skimming and Magecart attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of Magecart attacks. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration/continuous deployment cycles. Content security policies (CSP) are also the first resort for many web application security professionals. CSPs, originally used for protection against cross-site script execution, need a lot of tuning. CSPs alone don’t provide any protection against a compromise of a trusted domain that can be used to inject a skimmer on the website.
Modern client-side application security solutions can continuously monitor all the scripts on your website for anomalous behavior, and automatically groom CSP rules that can stop digital skimming and Magecart attacks.