FBI warns growing threat of e-skimming
By Ed Mierzwnski
Philadelphia— In June of 2018, Ticketmaster announced their site had been compromised by a massive credit card-skimming campaign by Magecart. While most people are familiar with skimming devices attached to gas pumps and credit card machines, online skimming injects malicious code onto e-commerce sites to capture financial data entered by customers.
Now the Federal Bureau of Investigation (FBI) is warning that small and medium sized businesses, and government agencies, are especially vulnerable. Through phishing attacks or accessing third-party vendors, the hackers get access to the site and start collecting the financial data.
Once collected such data can be used for fraudulent purposes by the thief or sold on the DarkNet to others. And the consumer may never know their info has been taken according to the Herb Stapelton, section chief for the FBI’s cyber division.
“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer,” he told CNBC.
E-skimming impossible to ignore
Websites that take online payments, whether for bill pay or e-commerce, can no longer ignore the threat posed by such attacks. Companies such as Macy’s , British Airways, and Puma have also been hit by these efforts. RiskIQ has study the rising threat by such scams since they first appeared in 2016.
According to the company, more than 17,000 websites have been compromised by Magecart including some in the top 2,000 on Alexa.
Not content to wait for individuals to visit websites on their own, Magecart groups are using advertisements to drive traffic to skimmers on thousands of sites. 17 percent of so-called Malvertisements they detected were tied to Magecart.
And once in place, this software can stay for years undetected continuing to collect vital information.
Businesses must take action
As part of Cyber security Month, the FBI is recommending businesses and agencies take a few key actions to safeguard customers:
Update and patch all systems with the latest security software. Anti-virus and anti-malware need to be up-to-date and firewalls strong.
Change default login credentials on all systems.
Educate employees about safe cyber practices. Most importantly, do not click on links or unexpected attachments in messages.
Segregate and segment network systems to limit how easily cyber criminals can move from one to another.
What you can do
Despite all this, hackers continue to develop new ways to insert their malware onto websites. The FBI predicts millions have fallen prey to these skimmers in recent years.
Shop with a credit card: It is easier to challenge fraudulent charges on your credit card and they often have lower limits for liability for fraud. All that makes it easier to get your money back.
Use a virtual card: Some banks have started to offer virtual credit card can be used for mobile purchases by creating individual tokens for each interaction. These numbers are unique, so if they are stolen its useless to criminals.
Monitor your cards: Setup a time every week or month to review any charges for unusual activity and if found report it right away.
While businesses and agencies, will keep working with law enforcement agencies to reverse the trend of more sites being compromised by e-skimming malware. But, these actions can help give consumers a piece of mind in the meantime.
