Today the PCI Security Standards Council and the Retail & Hospitality ISAC (https://rhisac.org/) issued a joint bulletin to highlight an emerging threat that requires urgent awareness and attention. The full bulletin can be viewed here.
What is the threat?
A growing threat that all merchants and service providers should be aware of is Web-based or Online Skimming. These attacks infect e-commerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers and arevery difficult to detect. Once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumer being aware that the information has been compromised.
A term sometimes used in the press for this threat is Magecart. Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.
How do these attacks work?
These threat actors use various methods, which include exploiting vulnerable plugins, brute force login attempts (credential stuffing), phishing and other social engineering techniques, all in an attempt to gain access and inject malicious code. These attacks are either directly into eCommerce websites or often into a third-party’s software libraries that merchants rely upon. These service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.
Examples of these attacks to third-party applications and services include advertising scripts, live chat functions, and customer rating features. Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites. Because these third-party functions are typically used by multiple e-commerce sites, the compromise of one of these functions can allow an attacker to compromise many websites at the same time through mass distribution of the malicious JavaScript.
The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.
Who is most at risk?
Any eCommerce implementation that does not have effective security controls in place is potentially vulnerable. Attacks target eCommerce websites, third-party service providers, and companies providing applications used on websites. Magecart hackers and similar threat actors are continuing to evolve and modify their attacks, including customizing malicious code for different targets, and exploiting vulnerabilities in unpatched website software.