e-skimming

While ransomware and leaky or completely unprotected databases dominated headlines in 2019, e-skimmers quietly made a killing. A major e-skimming compromise was discovered on Macy’s website at the start of the holiday season in which hackers captured the payment information of a number of online shoppers. The retailer wasn’t alone. American Outdoor Brands, Puma, Ticketmaster UK, British Airways, Vision Direct, Newegg, and many, many others were also infected by e-skimmers.

The best way to avoid getting skinned by e-skimming is standard issue: We all need to monitor our accounts, avoid using debit cards (because they are a direct money funnel), keep our password games strong, and generally practice good cyber hygiene. On the business side of things, it’s crucial that software patches are applied as soon as they’re released, and that employees are trained to recognize the signs of compromise.

As with many cyber threats, the best solutions are cultural. We need to get in the habit of putting security–which includes constant vigilance–first, second, and third in our online activities.

But while this is all perfectly sound advice, it’s not going to solve the e-skimming problem, which is that e-commerce sites are increasingly complex and because of that more difficult to defend. They have an ever-expanding attackable surface in an environment where reducing that surface is the watchword.

E-Skimming 101: Cyber Pilot Fish

E-skimming is a hack. A small piece of code is added to an e-commerce website that intercepts payment information. The code can be added by compromising a website’s server, via a phishing attack, exploiting a known software vulnerability, or luring a developer into using what seems like a legitimate plug-in or module for a website that includes the malicious code.

It doesn’t matter if the site is encrypted or you see the green padlock by a URL. E-skimming doesn’t intercept information in transit. It lives on the targeted website and records payment information and other sensitive identifying information as it is entered by the consumer during the checkout process.

Typically, the e-skimming software just sits there accumulating payment information and transmitting it to the hacker who put it there until it is discovered–something that often takes months. From there, the hacker can sell the stolen information in bulk, or cherry-pick a few payment cards to turn a profit.

In the high-turn world of online shopping, e-skimmers are like pilot fish getting a good meal by hitching a ride on super-predators at the top of the retail food chain.

Too Many Coders in the Kitchen

E-commerce websites are composed of huge shoals of code written and developed by hundreds, if not thousands, of people.

The Magento open-source shopping cart served as the namesake for the e-skimming group (or groups) known as MageCart. It has more than 4.5 million lines of code with edits and additions made by more than 500 developers. WooCommerce, another open-source solution, has a less unwieldy 175,000 lines of code, but still plenty for a hacker who wants to hide something.

That is just the dorsal fin. The core code of these platforms, while sprawling, is at least maintained by companies constantly searching for new vulnerabilities and patching them. The bigger problem is that e-commerce sites often implement a wide variety of plug-ins, extensions, widgets, and added bits of software, all of it introducing more code and expanding the site’s attackable surface.

A single line of code added to a Magento extension infected at least 200 online e-commerce sites with e-skimming software last year. Inconspicuous, it was added via an account on a Microsoft-owned code repository. A quick search shows sites are still running the compromised version of the extension months after it was identified.

The issue isn’t unique to Magento or WooCommerce. Other e-commerce platforms, including OpenCart, OsCommerce, and Shopify, have been targeted and compromised by similar attacks. While poor data hygiene is the cause of some attacks, many are detected by accident, or because a hacker gets greedy and a credit card company zeroes in on an affected site.

The solution is to be had not in a lab or working group. It is cultural. E-skimming is a double threat: to consumers and businesses, and they are both part of the solution. A vigilant retail environment reduces everyone’s attackable surface.