Introduction
With the explosive advancements that have taken place in wireless technology, there is no longer the need to visit the old-fashioned brick and mortar stores anymore.
We can now do all this shopping in the comforts of our homes, thus eliminating the need to fight through traffic, trying to find a parking spot, and waiting in long lines at the checkout lanes. Within minutes, we can visit an online store, pick out products we want, and with a few clicks of the mouse, make payment and select how it will reach the recipient.
Best of all, with our smartphone, we can do our online shopping from anywhere and anytime we want to. While all of this may sound great, this is also the season for the cyber attacker to come out and launch various threat vectors in an attempt to steal your credit card information and other forms of Personal Identifiable Information (PII) without you even knowing about it, until it is too late. One such attack is known as “e-skimming”.
How e-skimming works
E-skimming typically preys upon the online stores of merchants that have a virtual presence. For instance, when we visit an online store, we always assume that the site is safe to visit, and that precautions have been taken to not only protect our identity, but our financial information as well. But this is far from reality. The cyber attacker uses this threat variant in such a way that it is very covert and is also exceedingly difficult to spot at first glance.
In an e-skimming attack, the cyber attacker implements a special programming software which is technically known as the “skimming code”. These are very often deployed at the last stage of the online shopping process, which is the checkout stage. This is where we enter our credit card information or other kinds of banking data to make payment for the products that we are intending to purchase. By making use of this specialised code, the cyber attacker can very easily capture all of this and use it for their financial gain.
Or they could even sell this data on the Dark Web, where another cyber attacker could procure them and make fraudulent purchases on a massive scale. There are several ways that the skimming code can be installed, which include the following:
- Taking advantage of an unknown weakness or vulnerability of the e-commerce platform that is being used by the merchant.
- Gaining access into the network that is used by the victim by sending out a phishing email in which they are tricked into clicking onto a malicious link or downloading a file which contains malware (in this case, it would more than likely be a key-logging software application);
- Attaching this code onto the JavaScript that is being used by the online store;
- Launching a Cross Site Scripting (XSS) attack in which the victim is tricked and redirected to phony, but very authentic looking payment processing site where the malicious JavaScript has been installed.
This is illustrated in the diagram below:
E-skimming is also more specifically known as “magecart attacks”, and this term refers to the consortium of cyber attackers that carry out and launch this kind of threat vector assault exclusively, and there are seven known groups involved with this.
How to avoid being a victim
In the end, anybody is prone to becoming a victim of an e-skimming attack. Despite all the preventative measures that an online merchant may take to protect their customers, there is still no guarantee that this will not happen. But there are several steps that you can take to help mitigate the risks of this happening to you. These are as follows:
- Always check your credit card and banking information on a daily basis. Do not just simply wait to get the paper statement, get an online account so that you can view all activity at least 2-3 times a day. This may sound a little excessive at first, but the sooner you can catch any sort of fraudulent activity, the better off you will be. Most transactions are recorded in real time on these portals as they occur.
- When making an online purchase, never use a debit card. If the information on this has been hijacked and compromised, you are responsible for the entire financial loss. But, if you use a credit card instead, your losses are limited to only $50.00, which is stipulated by federal law.
- Try not to enter your credit card or other banking information in large frequencies. You should only shop at those online stores that are the most reputable, and that also give you the option to store your financial details in a safe and secure manner.
- If possible, try to make use of a mobile wallet, primarily that of ApplePay. With these kinds of applications, your credit card information is stored securely, and never has to be entered again as you make payments online. But the caveat here is that the online store must support this kind of payment mechanism.
- Never click on any sort of pop ad that instantly appears in your web browser. More than likely, this is another vehicle that is being used to deploy the malicious e-skimming code.
- If you are using your smartphone for your online shopping, make sure you can use Multi Factor Authentication (MFA) on it. This is where you are required to present more than just one type of credential to confirm your identity.
- Always use strong passwords that are difficult to guess. In this regard, consider seriously of making use of what is known as a “password manager”. These are software applications that enable you to create long and complex passwords and store them for you in a secure repository, so you do not have to remember them. Best of all, your passwords can be reset automatically, without any intervention needed on your part.
- Consider freezing any credit that you may have with the three major reporting bureaus (which are Equifax, Experian and TransUnion) to prevent any new accounts being opened up with your PII, just in case that you do become a victim of identity theft.
Future articles will examine other forms of cyber attacks that covertly leverage your credit card information to be used for malicious purposes.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.
Visit his website at mltechnologies.io