By Source Defense

Digital skimming attacks targeting customer data entered into payment forms on eCommerce checkout pages increased by 174% in the last half of 2022, according to Visa’s Spring 2023 Biannual Threats Report.

In digital skimming attacks, threat actors deploy malicious code onto a merchant website targeting their checkout pages to scrape and harvest payment account data entered by consumers, such as primary account number (PAN), card verification value (CVV2), expiration date, and personally identifiable information (PII). Attackers accomplish this by compromising the third- and fourth-party Javascript code used by nearly all websites to provide online shopping carts, forms, analytics, advertising, social sharing, and much more.

Visa Payment Fraud Disruption (PFD) analysts discovered numerous developments in the digital skimming threat landscape during the last six months of 2022.

Outdated Payment Plugins

Various digital skimming campaigns within this six-month period continued to exploit unpatched and/or outdated eCommerce payment plugins used by merchant websites. Visa PFD identified three incidents in which different threat actors targeted the same eCommerce payment plugin used by eCommerce merchants.

In one of these attacks, threat actors targeted a North American eCommerce merchant. They created a fake checkout webpage that was then presented to customers as they purchased goods on the merchant’s website. This fake checkout page harvested cardholder data, including the PAN, expiration date, and CVV2. 

After this malicious fake webpage was removed, the same threat actors compromised an administrator account, likely due to a weak or compromised password, and then appended malicious digital skimming code onto the merchant’s actual checkout page,” the report states.

In another attack, threat actors used an SQL injection attack against an outdated eCommerce payment plugin used by an eCommerce merchant and obtained administrator credentials. Once the compromised administrator credentials were obtained, the threat actors appended malicious digital skimming code to the legitimate code of the outdated payment plugin, which was used to then deploy this same malicious skimming code on the merchant’s checkout page.

A third compromise, which again targeted an outdated payment plugin, involved threat actors using a web shell to access the eCommerce merchant’s checkout page. Through this web shell, the actors appended digital skimming code to the payment processing plugin on the merchant’s checkout page.

Coupon or Promotion Integrations on Merchant Websites

Another campaign involved threat actors exploiting a promotion or coupon code integrated into an eCommerce third-party payment service provider’s webpage.

The threat actors appended malicious code into five legitimate files in the victim’s environment, accessed remotely through web shells. This malicious code included two digital skimming malware variants which harvested payment account data from 45 eCommerce merchant environments using the victim’s payment services.

The first digital skimming malware infection consisted of malicious code to harvest and exfiltrate payment account data stolen during checkout. The malware sent the stolen payment data to an external domain controlled by the threat actors. 

The second digital skimming malware infection targeted merchant checkout processes and stored payment account data compromised during the checkout process in base64 format in a local .png file. “The malware harvested full PAN, expiration date, CVV2, and cardholder information, such as the customer’s physical address, when the customer entered this information into the customer input fields of the checkout page,” the Visa report states.

Targeting eCommerce Cigar Shops

Threat actors also used digital skimming malware to target a series of eCommerce cigar shops during a campaign in July 2022. In this campaign, the threat actors targeted nine eCommerce cigar shops in one month, where they appended malicious digital skimming malware into the JavaScript of the cigar merchant’s checkout pages. 

All of the victims used the same eCommerce platform to build their websites, were hosted on one or more of the same shared servers with the same IP address registered in the U.K., and the eCommerce websites were owned by or related to the same consumer brand management company based in Europe,” according to the Visa report.

Visa PFD analysts suspect that the threat actors were able to exploit a vulnerability within the parent company’s network infrastructure or the eCommerce platform used by all of the compromised cigar merchants. “This campaign highlights threat actors’ ability to compromise several victims who use the same platform once a common vulnerability is found within the initial victim’s environment,” the report concludes.

Third-Party Service Providers

Visa PFD also identified a digital skimming attack that targeted a technology-related eCommerce merchant because the merchant’s third-party hosting provider did not adequately update or patch the libraries for the merchant’s website’s Java-based logging utility identified as Log4j 2. 

This outdated version of the Log4j 2 logging utility contained a remote code execution (RCE) vulnerability, tracked as CVE-2021-44228, which allowed the threat actors to gain remote access to the merchant’s eCommerce website environment,” according to the report. From there, the threat actors appended malicious digital skimming code into the legitimate code of the merchant’s checkout page, enabling the threat actors to harvest payment account data, such as PAN, CVV2, and expiration date. 

“This attack underscores the need for merchants to keep all software within an eCommerce environment patched and up-to-date, and merchants must ensure they are aware of and mitigate vulnerabilities impacting their supply chain and third-party services, providers, and platforms.”

Make Digital Skimming Attacks a Thing of the Past

The Source Defense Client-Side Web Application Security Platform is an all-in-one, single,  and scalable system built for complete threat visibility, control, and prevention of client-side attacks. With this one-of-a-kind technology, client-side threats are stopped in their tracks without your teams needing to lift a finger. Source Defense uses a prevention-first approach and real-time JavaScript sandbox isolation and reflection to prevent client-side attacks without alerting analysts. 

Source Defense uses real-time JavaScript sandboxing technology to create virtual pages that isolate the 3rd party scripts from the website. The virtual pages are an exact replica of the original ones, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original one. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the website owner, alerting them of the 3rd party scripts violating their security policy. 

This is as close to ‘set it and forget it’ security and data privacy that you will see on the market.

Cybersecurity analysts can rest easy at night — and engage in valuable activities during the workday — knowing that a critical portion of their job is being efficiently and automatically managed. Ultimately, the Source Defense platform offers a simple way to manage the 3rd party risk in your digital supply chain and prevent attacks from the client side.Waiting to act is simply waiting to be attacked. Visibility is the first and most important part of any risk mitigation program. Source Defense is ready to provide you with a free website risk analysis within the next few days. Get moving with the Source Defense team to close off this open gap in your eCommerce security.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.