By Source Defense

Security researchers have been monitoring four emerging skimming attacks of concern this holiday season. These threat actors primarily targeted ecommerce stores in the US, U.K., Australia, and Canada that used Magento and Presta-based ecommerce platforms. 

News of the emerging threats comes just days before the start of the most lucrative and risky 4-week period of the year for online retailers. The ecommerce industry is readying itself for a record $236 billion holiday shopping season this year. But if you’re one of the retailers hoping to capture a piece of that holiday spending pie, you better make sure you know exactly what your web applications and digital supply chain partners are doing with your customers’ data.

In July, researchers observed a threat actor actively compromising Magento-based ecommerce stores and injecting script tags pointing to the skimmer code hosted on attacker-registered domains. Each skimmer code snippet was customized with the name of the targeted store and the type of payment processor used.

This month, the same researchers observed a threat actor injecting highly obfuscated variants of JavaScript skimmer in existing legitimate jQuery libraries on various Magento-based ecommerce stores. They noticed 2 unique domains used to exfiltrate the payment card data. Both of these domains still have zero detections on VirusTotal, and the e-commerce stores were still infected as this blog was going to print.

“Users are advised to exercise caution while shopping online during this holiday season as threat actors are actively targeting ecommerce stores for financial data theft,” according to the research blog.

Earlier this month, these same researchers posited that Magecart attacks had likely compromised some 38 percent of all retail websites. Magecart refers to a group of cybercriminals specializing in “skimming” attacks and payment card theft targeting the Magento shopping cart (which is now Adobe Commerce). In fact, as many as one-third of all Magento powered websites are thought to be still running unpatched and vulnerable versions of Megento and Adobe Commerce shopping cart applications. 

Magecart attacks are designed to skim information entered into payment forms on checkout pages before sending data back to a remote computer controlled by attackers. This is a potential security nightmare for the ecommerce industry as virtually all resources during the next month will be focused on order completion and sales, not securing 3rd party software.

The BlindSpots

The average ecommerce website uses dozens of 3rd party tools, with retailers saying they plan to add an average of 3-5 new 3rd party technologies to their sites annually. 

Instead of hacking the ecommerce websites themselves, hackers often attack the 3rd party plugins and use their Javascript to hitchhike the ecommerce website. Checking the security perimeter of an ecommerce site is just not enough. A website is affected by the security perimeter of all of the 3rd party tools it uses. Moreover, it has no control over what’s happening outside the 3rd party circle: there are 4th party circles, 5th party circles, and so on, that most website owners know nothing about. 

Despite this, ecommerce sites have exponentially increased their dependency on 3rd, 4th, and 5th party technologies, sharing confidential and sensitive information with a staggering 583 outside parties on average.

Client-side attacks have been around for a while, but they remain a blind spot for many organizations. Every client-side web attack is different, but they all rely on the fact that the attackers can gain access to the browser of the customer who is visiting the website. They can steal the customer’s payment details, including credit card information, in real-time. 

An online shopping cart is an extremely valuable target for a hacker. All of the payment details from customers’ cards have already been collected and are waiting in one place for a hacker to come along with their malware and take it right out of the cart. Virtually all ecommerce websites do not thoroughly vet the code which is used by these third parties, therefore making the job of a hacker quite simple.

There’s Still Time

Engage with Source Defense now, and we will give you a level of security during this time that you’ve never enjoyed. We’re offering you a special program to protect your sites during the holiday code freeze period.

Source Defense Detect is an external scanning, detection, and alerting system for client-side attacks. 

With Source Defense Detect, we will remotely inspect your sites for signs of malicious activity. We’ll give your Security and Compliance teams all of the insights they need to both shut down data theft and ensure data security compliance. 

Our Offer to You:

  1. We’ll give you an immediate solution that scans your web properties for signs of malicious activity, data theft, and data leakage.
  2. This solution will inventory and inspect all 3rd party (and beyond) JavaScript operating on your site.
  3. We’ll use synthetic data to monitor script operation and flag any data theft or leakage concerns. 
  4. You’ll have access to a data-rich portal to inspect the alerts and take action. 
  5. We’ll give you this program with modified terms to streamline your internal processes – we’ll take care of you during the code freeze, and if we do our job, we’ll keep supporting you for the rest of the year. 

Interested in protecting your online checkout lanes during the holiday season?

Go here and fill out a request form – we’ll get right back to you and get rolling right away to close this major gap. 

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.