Young man use credit card for shopping payment online on laptop computer application or website

What E-Skimming Is All About

Introduction

As we fast track now into the last month of 2019, there is one thing that we all look forward to: the Holidays, and spending time with family and friends.  But there is another aspect to all of this as well, and that is the shopping that we do for the gifts that we want to give to others.  With the explosive advancements that have taken place in wireless technology, there is no longer the need to visit the old-fashioned brick and mortar stores anymore.

We can now do all of this shopping in the comforts of our homes, thus eliminating the need to fight through traffic, trying to find a parking spot, and waiting in long lines at the checkout lanes.  Within minutes, we can visit an online store, pick out products we want, and with a few clicks of the mouse, make payment and select how it will reach the recipient.

Best of all, with our Smartphone, we can do our online shopping from anywhere and anytime we want to.  While all of this may sound great, this is also the season for the Cyberattacker to come out and launch various threat vectors in an attempt to steal your credit card information and other forms of Personal Identifiable Information (PII) without you even knowing about it, until it is too late.  One such attack is known as “E-Skimming”.

How E-Skimming Works

E-Skimming typically preys upon the online stores of merchants that have a virtual presence.  For instance, when we visit an online store, we always assume that the site is safe to visit, and that precautions have been taken to not only protect our identity, but our financial information as well. But this is far from reality.  The Cyberattacker uses this threat variant in such a way that it is very covert and is also very difficult spot at first glance.

In an E-Skimming attack, the Cyberattacker implements a special programming software which is technically known as the “Skimming Code”.  These are very often deployed at the last stage of the online shopping process, which is the checkout stage.  This is where we enter our credit card information or other kinds of banking data in order to make payment for the products that we are intending to purchase.  By making use of this specialized code, the Cyberattacker can very easily capture all of this and use it for their financial gain.

Or, they could even sell this data on the Dark Web, where another Cyberattacker could procure them and make fraudulent purchases on a massive scale.  There are a number of ways that the Skimming Code can be installed, which include the following:

  • Taking advantage of an unknown weakness or vulnerability of the E-Commerce platform that is being used by the merchant;
  • Gaining access into the network that is used by the victim by sending out a Phishing Email in which they are tricked into clicking onto a malicious link or downloading a file which contains malware (in this case, it would more than likely be a Key-Logging software application);
  • Attaching this code onto the JavaScript that is being used by the online store;
  • Launching a Cross Site Scripting (XSS) Attack in which the victim is tricked and redirected to phony, but very authentic looking payment processing site where the malicious JavaScript has been installed.

 

(SOURCE:  1).

E-Skimming is also known more specifically known as “Magecart Attacks”, and this term refers to the consortium of Cyberattackers that carry out and launch this kind of threat vector assault exclusively, and there are 7 known groups involved with this.

How To Avoid From Being A Victim

In the end, anybody is prone to becoming a victim of an E-Skimming Attack.  Despite all the preventative measures that an online merchant may take to protect their customers, there is still no guarantee that this will not happen.  But there are a number of steps that you can take to help mitigate the risks of this happening to you.  These are as follows:

  • Always, check your credit card and banking information on a daily basis.  Don’t just simply wait to get the paper statement, get an online account so that you can view all activity at least 2-3 times a day.  This may sound a little excessive at first, but the sooner you can catch any sort of fraudulent activity, the better off you will be.  Most transactions are recorded in real time on these portals as they occur.
  • When making an online purchase, never use a debit card.  If the information on this has been hijacked and compromised, you are responsible for the entire financial loss.  But, if you use a credit card instead, your losses are limited to only $50.00, which is stipulated by federal law.
  • Try not to enter your credit card or other banking information in large frequencies.  You should only shop at those online stores that are the most reputable, and that also give you the option to store your financial in a safe and secure manner.
  • If possible, try to make use of a mobile wallet, primarily that of ApplePay.  With these kinds of applications, your credit card information is stored securely, and never has to be entered again as you make payments online.  But the caveat here is that the online store must support this kind of payment mechanism.
  • Never click on any sort of pop ad that instantly appear in your web browser.  More than likely, this is another vehicle that is being used to deploy the malicious E-Skimming Code.
  • If you are using your Smartphone for your online shopping, make sure you can use Multi Factor Authentication (MFA) on it.  This is where you are required to present more than just one type of credential in order to confirm your identity.
  • Always use strong passwords that are difficult to guess.  In this regard, consider seriously of making use of what is known as a “Password Manager”.  These are software applications that enable you to create long and complex passwords and store them for you in a secure repository, so you do not have to remember them.  Best of all, your passwords can be reset automatically, without any intervention needed on your part.
  • Consider freezing any credit that you may have with the three major reporting bureaus (which are Equifax, Experian and TransUnion) to prevent any new accounts being opened up with your PII, just in case that you do become a victim of Identity Theft.

Conclusions

Future blogs will examine other forms of Cyberattacks that covertly leverage your credit card information and be used for malicious purposes.

Sources

  1.  https://www.bleepingcomputer.com/news/security/fbi-warns-govt-agencies-smbs-to-defend-against-e-skimming-threats/

Leave a Reply

Your email address will not be published. Required fields are marked *