You're probably aware of credit card skimming, when attackers modify a physical card scanner to steal the details of anyone who uses it. But did you know that online card skimming is a threat too?
Recently, a particular type of this attack, titled Magecart, has become much more prevalent. Let's look at what these attacks entail, who was affected, and how to keep yourself safe.
What Is Virtual Card Skimming?
When you scan your card at a physical terminal in a store, your credit card information transfers to that company so it can charge you for your purchase. A skimmer, sometimes installed at unattended scanners such as those at gas station pumps, intercepts this card information and sends a copy to thieves.
Virtual card skimming is a similar idea. In these cases, attackers planted malicious code on the checkout pages of many popular websites. Anyone who checked out while that code was in place was unknowingly handing their information over to a thief as well.
Magecart is the name given to a series of attacks carried out over the last several weeks. Security company Symantec found 248,000 attempts have been made since the middle of August, with over 35% of these happening on September 13 through the 20th. Researchers have found over 1,000 website domains were affected by this.
So far, the attackers have compromised the websites of Ticketmaster, British Airways, Feedify, and Newegg. They've used similar tactics in each attack. Let's take a look at the Newegg incident to see how this attack works.
The Newegg Magecart Attack
The Magecart attackers started by creating a website with a legitimate-looking name: neweggstats.com. They purchased a website security certificate to make the site appear genuine.
At a quick glance, this looks like an official part of Newegg's site, but of course it wasn't. They later had this website redirect to a server, which is where they collected the skimmed credit card info.
Shortly after, the attackers injected code to skim payment information onto Newegg's checkout page. Since this page only loads after a user has at least one product in their cart and has confirmed their delivery info, not every Newegg shopper gets there. This helped the skimmer code stay undetected for as long as it did.
The malicious code that they placed recorded the entered payment information and sent it to the bogus neweggstats website, where the attackers could collect it.
This script was active from August 14 to September 18; thus over a month's worth of transactions were compromised.
How to Stay Safe When Paying Online
This attack is pretty scary. The fake website domain looks fine to the untrained eye, and the attackers integrated the code into the page seamlessly. While the attackers went for some big targets, there have also been reports of smaller shops compromised with this attack too.
I need to buy something online and I'm terrified to access the checkout page. Thanks, Magecart!
— Catalin Cimpanu (@campuscodi) September 24, 2018
Thus, it's vital to know a few tips that will reduce the chance of having your information stolen in an attack like this:
- Don't enter your payment information directly into a website if possible. This is the most important takeaway from this incident. Many websites give you the ability to enter your info on their site or use a payment service such as PayPal or Amazon Payments. If given the choice, choose PayPal or a similar option. If the site is infected with skimming code like Magecart, you won't have entered any info for it to steal.
- On your phone, use Apple Pay or Google Pay when you can. This attack wasn't just limited to desktop sites. Mobile customers were at risk too. If you have the option to use Apple Pay or Google Pay set up on your device instead of entering your number directly, you should do so. These obfuscate your payment info, making it more difficult to steal.
- Use a credit card, not a debit card, when paying online. If your payment information is stolen, it's much easier to get it back when using a credit card. Most credit card companies have policies in place to protect you from unauthorized transactions. Further, if your credit card number is stolen, the company has a vested interest in getting their money back. A stolen debit card means it's your money on the line.
- Cancel your credit card if you used one of the sites recently. If you bought something from one of the above services, contact your credit card company and let them know. You should cancel the card and get a new one to prevent a thief from using it. Keep an eye out for more companies affected by this in the future, too.
Ultimately, using your credit card anywhere comes with a level of risk. These attacks are unfortunate, and continue to evolve as thieves become craftier. But with the right practices, you can reduce your vulnerability.