Share this article on:
The Federal Bureau of Investigation has issued a warning about e-skimming threats, following an increase in attacks on small and medium sized businesses and government agencies.
E-skimming is the introduction of malicious code on websites that process online payments. The code captures debit and credit card information when it is entered into payment portals and the information is silently transmitted to an attacker-controlled domain in real-time.
Attacks can be performed on any company that has an online payment system, most commonly on companies in the retail, travel, and entertainment industries and utility companies. Attacks are also conducted on third-party vendors, such as those that provide web analytics and online advertisements.
Recently, an e-skimming attack was reported by a healthcare organization – Mission Health in Western North Carolina. Code had been loaded onto its e-commerce websites which allowed the attackers to obtain the credit card information of individuals when they purchased health products. The malicious code was active on the websites for three years before it was detected.
There are several methods that attackers use to access to a website to load their malicious code. An attack could start with a phishing email containing a link to a website that captures login credentials to the company’s e-commerce platform. Access could also be gained using brute force tactics to guess the e-commerce system password, or vulnerabilities in the e-commerce platform or website could be exploited. Attacks could also occur through compromised supply chains or via a third-party vendor with access to the e-commerce platform, such as an IT company or managed service provider.
Code integrity checks should be performed regularly to identify any changes to the code on the e-commerce platform and web logs should be monitored and regularly analyzed. Anti-virus software or plugins should be used on websites to help identify malicious code and businesses should ensure they are PCI DSS compliant.
To protect against brute force attacks, strong, unique passwords should be created, and multi-factor authentication should be implemented to help ensure stolen credentials cannot be used to gain access to the e-commerce platform.