Customer data is extremely valuable to cybercriminals. This is even more true of credit card information, which can be easily used and abused in a number of different ways. For this reason, attacks using credit card skimming malware have become extremely popular in recent years. This malware steals customer card data from payment pages and sends it to an attacker, enabling them to use it in credit card fraud.
A recent set of vulnerabilities in the Magento eCommerce platform make sites using it vulnerable to credit card skimming attacks. Patching these vulnerabilities and protecting these sites against exploitation are critical to protecting an organization from cyberattacks and the reputational and regulatory impacts that come with them.
What is Credit Card Skimming?
The concept of card skimming has been around for a while now. Gas stations and ATMs are common targets of physical card skimmers, which steal the data of payment cards entered into these (commonly unmonitored) machines. Card skimming malware is also a common problem with point of sale (PoS) terminals in stores since a successful attacker could steal hundreds or thousands of cards’ details each day from a compromised location.
Web skimmers are credit card skimmers that are embedded in the code of payment card pages on eCommerce pages. These attacks take advantage of the structure and functionality of HTML pages.
Most web pages have an HTML file at their base, defining the overall structure and content of the page. However, these pages also can have other types of code embedded or imported into it. Cascading Style Sheets (CSS) code is used to define stylistic elements of a page, and scripting languages (like JavaScript and PHP) can enable animation and interactivity.
Credit card skimmers take advantage of this ability to embed script code in a web page. A number of different attacks could allow an attacker to insert their own code into a legitimate page to be served by users to the site. In the case of web skimmers, this code steals payment card data and sends it to a cybercriminal.
Inside the Magento Platform Bugs
Magento is an extremely popular eCommerce platform designed to help retailers easily build their online presences. The wide adoption of the platform has also made it a common target for cybercriminals attempting to perform credit card skimming and similar attacks.
In January 2020, Adobe issued a number of patches for critical flaws in the Magento platform. Two of these three flaws enabled an attacker to achieve remote code execution (RCE), which would allow the cybercriminal to run attacker-controlled code on the server hosting the vulnerable website. Another was an SQL injection vulnerability, and two more were cross-site scripting (XSS) bugs.
All of these vulnerabilities could potentially have allowed Magecart (or another cybercrime group) to insert credit card skimming code on a vulnerable website. In the past, Magecart has used SQL injection to steal administrator credentials, making it easy for them to upload malicious code. XSS vulnerabilities are a common target for credit card skimmers since they enable injection of malicious code (like skimmers) into a web page, and RCE vulnerabilities can be used for a variety of different purposes.
For this reason, these vulnerabilities in the Magento platform should be patched as soon as possible. Exploitation of an organization’s website to include credit card skimmers can severely damage an organization’s reputation and bottom line.
Impacts of Credit Card Skimming Attacks
In the new data protection regulatory landscape, credit card skimming attacks can be extremely costly and damaging to an organization. Since credit card data is protected by a number of different regulations – including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI DSS) – a leak of customer payment card data can expose an organization to a great deal of regulatory scrutiny.
The best example of the impact of credit card skimming attacks upon an organization is the British Airways (BA) breach reported in 2018. The airline’s payment card page was infected by a credit card skimmer by the Magecart cybercrime group, which enabled them to steal the payment card data of 500,000 BA customers.
In 2019, the Information Commissioner’s Office (ICO), which is the GDPR regulator of the UK, levied a proposed fine of $230 million against BA. This fine was the largest to date, and was greater than all fines levied in the first year of GDPR enforcement combined, demonstrating that the GDPR regulators take credit card skimming attacks very seriously.
Protecting Against Credit Card Skimming
Credit card skimming attacks use malicious code embedded in a legitimate website’s payment page to steal the credit card data of users of the site. For these attacks to be possible, the attacker needs a means of embedding their malicious code within a website.
This can be accomplished in a variety of different ways. Some attackers attempt to exploit vulnerabilities like those recently patched by Adobe in the Magento platform. Others take advantage of advertising networks, where weaponized ads can perform card skimming. Supply chain attacks and breaches of a company’s network with stolen credentials are also options.
Protecting against credit card skimmers requires securing an organization’s web servers from attack and unauthorized modifications. A web application firewall (WAF) can help to block cross-site scripting and similar attacks used to deploy web skimmers. Data security and integrity monitoring on web servers can help to detect attempted modification of web pages to include skimming scripts, protecting them against exploitation.