USA TODAY International Edition
Online shoppers, be wary of skim scam
Holidays offer a big target for e- skimming
We all know we need to be on the lookout for skimming devices that crooks install at ATMs or at the pump at gas stations.
But just in time for the holiday shopping season, we’re now being warned that the hackers are watching our online shopping carts, too, in order to steal our credit card and debit card information.
Such theft can happen whether you’re buying something online through a legitimate website or mobile app. Big names that have been targeted include the online store for the National Baseball Hall of Fame, which had a malicious payment code running between Nov. 15, 2018, and May 14, 2019.
It may be very difficult for a consumer to detect compromised websites that have been hit by an e- skimming scheme.
It’s the next new wave for collecting stolen data to fill the shelves of the cyber black market.
“Any business accepting online payments on their website is at risk of an e- skimming attack,” according to an October alert from the Federal Bureau of Investigation office in Detroit.
Cyber criminals introduce a skimming code on e- commerce payment processing web pages to capture credit card and information such as your name, date of birth, account numbers, passwords and location information, the FBI said.
Security experts are noticing a wave of what’s called Magecart attacks – the name used for widely distributed malicious software used by cyber criminals – and the threat could rival the well- known compromises of point- of
sale systems of retail giants such as Home Depot and Target, according to RiskIQ, a San Francisco- based cyber security company.
Digital skimming operations are attuned to how a real company’s payment page looks and can blend in with normal payment processing to avoid detection.
“Customers have no way of detecting Magecart,” according to Mike Browning, senior manager of content and public relations for RiskIQ.
Major companies have been caught in the digital web- skimming trap. Ticketmaster was compromised via a third- party analytics supplier; British Airways was compromised directly.
Who’s running e- skimming schemes?
Many of the bad actors operate out of Eastern Europe. Some groups sell the stolen credit card data on the web. At least one group has used a complex reshipping scheme to make money, Browning said.
Browning said one scheme uses phony job postings in Russian language newspapers distributed in the United States. The pitch promises a way to make money by buying goods with stolen credit card data and shipping them to Eastern Europe so Magecart actors can sell the goods elsewhere for a profit.
How does it work?
Typically, the scammers exploit weak links in a company’s e- commerce platform. In many cases, a consumer can be re- directed to a malicious domain where the skimming code can capture the customer’s information from the checkout page.
The skimming code would capture your information in real time and send it to remote server where the data is collected by the criminals behind the scene. The consumer’s credit card data would either be sold or used to make fraudulent purchases from that point going forward.
Experts say the stolen data can be found for sale on the Dark Web where it is acquired to create counterfeit cards, launch phishing attacks and commit other types of fraud.
In many cases, a security firm ends up notifying the retailer or other business that their site has been hacked. And much later, consumers may hear about big data breaches.
What should consumers do?
Adam Levin, founder CyberScout, said consumers should understand that more e- skimming attacks may be planned for the months ahead.
“There is often a spike in cyber attacks and fraud during the holiday season, and this year will be no different,” Levin said.
It is hard to avoid being e- skimmed as you shop online, Levin said. But several steps can be taken by consumers to protect themselves in the event of such hacking attacks.
Levin and other experts suggest that consumers don’t use debit cards to shop online, as bad actors would have easier access to your checking account – and you could have a harder time straightening out problems with your bank.
Even when you use a credit card, it may be wise to take other precautions. Avoid entering credit card details into a website. Large stores, such as Amazon, will store your card in your account, so you don’t need to enter it into a web form where a Magecart skimmer might be lurking, Browning said.
Small shops now offer Amazon Pay, which allows you to avoid potential skimming by paying via the card stored in your Amazon account rather than manually entering your credit card details, Browning said.
Another way to avoid entering your card details is by using Apple Pay, PayPal, or a similar mobile payment system, which send a sort of one- time token of your credit card information. Even if Magecart happens to skim the token, Browning said, they can’t access the associated credit card information. Services like PayPal ensure you never have to enter your information into an ecommerce site directly.
Lewis of Duo Security suggests online shoppers avoid clicking on banner ads for a specific store or product to avoid any pop- ups. Instead, he said, type the web address in yourself.