Digital skimming: the lucrative cybercrime

Digital skimming is one of the major hidden threats to any business. With social distancing rules still in effect, companies are increasingly interacting with their customers over digital channels such as websites and mobile apps. Even traditional brick-and-mortar businesses such as restaurants are now letting customers pre-order and pay for meals online.

Anytime there is a digital transaction, the business has to collect personal data from the user. This data could include names, email addresses, passwords, phone numbers, payment card data and verification codes. And this data is most vulnerable at the point of entry.

Stealing from the source

Digital skimming, or magecart attacks, as they are more commonly known, steal this information right at the source as the user types it into a web form or a mobile app. The business is often unaware that this happened since the information was skimmed from the user's computer as opposed to the company's servers. The lack of visibility means that the attacks often go undetected for weeks or months, while hackers yield a rich bounty of credit card numbers to sell on the dark web. Researchers estimate that the loot from a 2019 magecart attack on a major e-commerce platform could net the fraudsters up to $130 million.

The economics behind such attacks are so lucrative that there are toolkits now available on the dark web that will enable even the most inexperienced hackers to run digital skimming operations. Nation states facing financial sanctions are also trying to tap into this alternate revenue source by launching their own skimming operations.

Digital skimming attacks usually start by gaining privileged access to the admin console for an e-commerce website. The hackers then place a small snippet of code into one of the website scripts. When a user loads the site on their browser, the skimmer code gets loaded along with all the legitimate scripts. As users type in payment card information into a web form, the skimmer code copies this information and transmits it to another server controlled by the hackers. From there, the hackers are able to harvest credit card numbers and sell them on the dark web.

These attacks often use creative means to evade detection, such as using lookalike domain names, or piggybacking on commonly used third-party services like Google Analytics.

What can be done about it?

Data privacy should be an essential part of any digital experience. With increasing privacy regulations such as the California Consumer Protection Act and the Global Data Privacy Regulation, the stakes are much higher for any business. The largest compliance fine ever levied under GDPR was for a data breach resulting from a digital skimming attack. British Airways was fined $240 million by U.K. regulators for its role in leaking almost 300,000 customer records over the course of two weeks in 2018.

Businesses must incorporate privacy-by-design principles throughout their customer-facing applications and must take steps to protect the data at the point of origin. Client-side application security solutions, like PerimeterX Code Defender, can provide continuous protection against digital skimming attacks and prevent data breaches.

Any business handling payment card data must comply with the PCI-SSC standards for protecting cardholder data. This requires them to ensure that any payment card data is encrypted or tokenized at the source and never stored in the clear. However even a PCI compliant business is still vulnerable to digital skimming attacks that skim the data at the point of entry.

Some businesses use third-party payment services such as Stripe or Braintree that run within an iframe, and don't expose the card numbers to other scripts. Hackers have been able to bypass this protection by creating fake checkout pages that lure unsuspecting users to divulge their credit card information.

Account takeovers

Account takeover attacks are brute force attacks aimed at gaining access to a password-protected site. Attackers use automated bots to periodically try username/password combinations to log into a website or a mobile app. These combinations could be random guesses or from a dataset of stolen passwords purchased on the dark web. The automated bots are able to run thousands of transactions each second, thus improving the odds of finding a valid username/password combination resulting in an account takeover attack.

Many automated bots are good bots. For example, the Google search engine uses automated crawlers to periodically index the Internet. A monitoring service might periodically load your website to collect performance stats.

Keep in mind that anybody can pay an annual fee and register a domain name if it hasn't already been taken. Domain registration privacy provisions mean that the owner of the domain can choose to keep their identity private. So outside of law-enforcement, it becomes nearly impossible for anyone to verify if a domain is really owned by the business. This allows hackers to launch phishing as well as digital skimming attacks.

Dealing with clients and businesses now that contactless payments and social distancing has become a way of life. The key is not to let the digital skimmers profit by not taking precautions against entry point data theft.