Imagine that you’re speaking to someone – maybe a close friend – on the phone. Because you trust the person you’re speaking to, you’re divulging all kinds of information to them, confident that this is a conversation that will remain between you and them.
Only there’s a problem. While your friend has no plans to share the content of your conversation with anyone else, unbeknownst to the two of you there is a third party listening to the call – and they’re taking notes. Anything that you say in confidence during the call is collected by this malicious third party and, at a later date, weaponized against you.
This nightmare situation is, in some ways, analogous to the problem of web skimming. Typically used as a means to steal online payment information (such as credit or debit card numbers), web skimming hijacks payment websites using bad code so that whatever information is entered onto an ecommerce site’s payments page is passed along to attackers.
These attackers could then use the information themselves for direct financial gain or, alternatively, sell it on to other parties. Although the hacked payment website might be wholly legitimate (like your unsuspecting friend in the example), this kind of man-in-the-middle web skimming attack exploits the trust many of us place in online payment services as a way to steal users’ most valuable personal information. It has quickly become one of the leading forms of card-not-present (CNP) fraud.
Magecart attacks proliferate
These web skimming attacks are often referred to as Magecart attacks. What is Magecart, you might ask? It’s the name for a notorious gang of hackers best known for targeting e-shopping cart systems, most frequently on the Magento system. (That’s where the “Mage” section of the name comes from.) Although payment card information is what’s frequently targeted by Magecart attacks, the approach has also been used to steal various other pieces of private data – such as names, locations, phone numbers, email addresses, and far more.
The malicious code that’s used for making such attacks possible can wind up on victim websites in multiple ways – ranging from stolen admin credentials for gaining access to the website’s backend to the exploitation of web application vulnerabilities that allow bad actors to upload their unauthorized code to web servers.
In order to make attacks tougher to spot, cyber attackers utilize different obfuscation techniques to mask the fact that they are using keylogging code to steal information being entered into webforms.
Target introduces Merry Maker
Fortunately, people are fighting back against web skimming attacks. For example, leading online retailer Target has created a client-side scanner they have recently released to the public in the form of an open source project called Merry Maker. Named as such because it was initially launched prior to the holiday shopping season with the aim of making it “safer and merrier,” Merry Maker is an attempt to address the web skimming problem. It essentially functions as a fake user, carrying out simulated online browsing and then completing test transactions – while gathering information such as network requests and browser activities – so as to root out unauthorized activity.
According to Target, it has now completed more than one million website scans – with more happening all the time. It’s a great example of a large company taking this threat seriously, and doing its utmost to protect its users. (And, through the open sourcing of Merry Maker, even those individuals who aren’t necessarily Target customers.)
Tools like Merry Maker are a great line of defense for individuals and companies to explore. Any business that operates online (which, frankly, is virtually every business today) should carry out regular audits of all and any third-party JavaScript code they utilize on their websites. They should also instruct third-party vendors to carry out audits on their own code. This is in order to make sure it doesn’t feature any possible malicious instructions that could open up the possibility of a web skimming attack. Solutions like the one developed by Target could add another layer of resilience to this kind of code-checking.
Defenses go even further
It’s possible to go further, however. For instance, implementing HTTP Content-Security-Policy headers can add yet another protective layer against attacks like clickjacking, cross-site scripting (XSS), and assorted other types of code injection attacks.
Although it’s vitally important to know whether malicious code is present on a website, businesses should take steps to block any attacks from happening. Solutions like Runtime Application Self-Protection (RASP), Advanced Bot Protection, Web Application Firewalls (WAF), and others can also play a key role in helping address this problem by spotting and blocking possible attacks automatically.
E-commerce is only going to become a bigger part of the retail landscape. For customers, it’s quick, easy, and efficient – although some of that ease-of-use opens up new security risks. But by taking the right precautions as a business, it’s more than possible to mitigate many of these threats. Doing so means doing right by your customers. They’ll thank you for it.