Today, internet users are at a higher risk of having skimmers steal their credit card info. These malicious actors are swiftly changing their tactics to stealthily attack you without notice. As Microsoft security researchers express this worrying trend, you should be on the lookout. So, how advanced are these techniques they employ to maliciously skim credit cards without being detected? Read on to find out.
Card Skimming Malware; What is it?
E-commerce accounts deal with credit cards and debit cards as means of payment for orders placed. This makes them victims of skimming attacks. However, what is credit card skimming? This is an attack directed to a website where hackers take advantage of poor security strategies to inject suspicious JavaScript codes onto the sites. What’s more, if you use platforms such as PrestaShop, WordPress, or Magento to conduct e-commerce for your online store, you may be on the verge of this kind of exploitation.
Read: The Passwordless Future
However, how do these scammers activate the code? Once a web visitor is interested in your product, he reaches your checkout page, from where he pays for the order using either a debit or credit card. This means that they will have to enter the details on these cards, and these are what the skimmers want.
When the visitor types this information, the skimmer can steal it and then send it to another malicious operator. This next party will either make an online purchase with these payment credit card details or sell the data to someone else.
Unfortunately, the card skimmers are getting craftier and stealthier in their methods. Let us find out how they have devised new and improved techniques.
How Credit Card Skimmers Hide their Attacks
According to Microsoft Analysts, credit card skimmers use the following three methods to keep their actions undetected;
Using Image Files
These attackers are inserting their hidden malicious PHP scripts in image files to manipulate the checkout pages of the e-commerce sites. This way, they bypass any protection such as Content Security Protection (CSP) put in place by the browser to halt any attempts of loading external scripts. The result? They get access to the user’s payment card details.
Read: What is a Mobile Threat Defense?
Back in November 2021, Microsoft found 2 suspicious image files, one of them being a fake browser favicon that was being uploaded to one of the popular e-commerce platforms, Magento. Therefore, web servers with malicious PHP scripts are the most vulnerable to this advanced method of credit card skimming.
Taking Advantage of String Concatenation
In this case, the attacker uses a different domain that he controls to load the card skimmer. Therefore, when he has a website on target, he uses string concatenation obfuscation. Remember, the attacker doesn’t need to have the obfuscation since their skimming is not hosted by the e-commerce website they are targeting.
Employing Anti-Debugging Mechanisms
Other card skimmers have moved a notch higher to a point they first confirm if the developer tools of a browser are open or not before they go ahead with their mission.
Script Spoofing
This is a successful skimming method the hackers are taking advantage of. Why? Nearly all e-commerce website has a tool for tracking visitors to the site. For instance, some opt for the widely used Google Analytics and Meta Pixel, formerly known as Facebook Pixel. The skimmers are aware of this, and that is why they hide and pretend to be these tools without the sites’ knowledge. They inject the web with malicious JavaScript masquerading as any of these tools.
Therefore, a skimmer can spoof Google Analytics. In this case, the web admin will most likely skip the inspection, assuming it is a part of the site’s standard code. Unfortunately, this is where the catch is. On the other hand, if a website uses Meta Pixel, it can fall victim to the attacker as he can imitate a common parameter of this tool.
So, with all the advancements in card skimming methods, how can you protect yourself and your card information? Read on to find out.
Read: Zero-Click Malware: What are They and How do They Work?
How to Protect Yourself Against the Skimming Threats
Organizations can lose money through web skimming. What’s more, their reputation and customer trust can be damaged when they realize this. The following are some of the ways through which you can defend yourself from credit card skimming;
Web Administrators to Stay Up-to-date
If you are an e-commerce website administrator, ensure your website platform is updated and that it runs on the latest and most current version of your plugins and Content Management System (CMS). If you can have the process automated, the better. This way, you are always running the site on an updated version to prevent card skimming attacks.
Scan Frequently for Threats
The web administrators should ensure they frequently scan for potential payment card skimming threats. Earlier detection of such a threat can help keep your webpage away from vulnerability.
At times, the skimming could resemble other JavaScript codes utilized for legitimate business functions. However, the web administrator should pay close attention due to the increasing evasive tactics of attackers.
Be alert for any suspicious content on your site to avoid being vulnerable to the skimmers’ tactics. You can do this through thorough and regular checkups on your site.
Go Electronic
Rather than having a physical payment card that requires you to enter its details online whenever you buy items online, you can opt for other means of payment instead. Electronic means of payment could be a great option.
Stay Alert
As an online shopper, whenever you see a suspicious pop-up asking for your payment during checkout, be alert.
Set Payment Limits
Having set a particular limit of payment on your credit card, the skimmers will not manage to make purchases above the limit you set even when they access the card information.
Conclusion
Card skimmers are improving and advancing their skimming techniques. Unfortunately, this leads to the theft of the online shopper’s details and data, which can be used to make another purchase. Besides, an organization vulnerable to skimming is not easily trustworthy and can lose its reputation and money. The good news is that there are strategies both buyers and organizations can put in place to defend themselves from web skimming.
Related articles you might be interested in:
Online Marketplaces: The Best Platforms for Selling Your Products
