FBI Issues Warning About E-Skimming Threats and Tips for Reducing Risk

The Federal Bureau of Investigation has issued a warning about e-skimming threats, following an increase in attacks on small and medium sized businesses and government agencies.

E-skimming is the introduction of malicious code on websites that process online payments. The code captures debit and credit card information when it is entered into payment portals and the information is silently transmitted to an attacker-controlled domain in real-time.

Attacks can be performed on any company that has an online payment system, most commonly on companies in the retail, travel, and entertainment industries and utility companies. Attacks are also conducted on third-party vendors, such as those that provide web analytics and online advertisements.

Recently, an e-skimming attack was reported by a healthcare organization – Mission Health in Western North Carolina. Code had been loaded onto its e-commerce websites which allowed the attackers to obtain the credit card information of individuals when they purchased health products. The malicious code was active on the websites for three years before it was detected.

There are several methods that attackers use to access to a website to load their malicious code. An attack could start with a phishing email containing a link to a website that captures login credentials to the company’s e-commerce platform. Access could also be gained using brute force tactics to guess the e-commerce system password, or vulnerabilities in the e-commerce platform or website could be exploited. Attacks could also occur through compromised supply chains or via a third-party vendor with access to the e-commerce platform, such as an IT company or managed service provider.

These attacks often come to light when multiple complaints are received from customers who have suffered financial losses after using an e-commerce website. Credit card companies may identify patterns in fraud and trace them back to a specific online payment portal, or companies may identify a suspicious domain in their website code or notice that JavaScript code on the website has been edited.

There are several steps that can be taken to reduce risk. The payment software used on an e-commerce site, plugins, and the content management system should be kept up to date and patches issued by payment software companies should be applied as soon as possible. Third-party resource integrity checks should be activated via Content Security Policy (CSP) to limit the loading of JavaScript to trusted domains.

Code integrity checks should be performed regularly to identify any changes to the code on the e-commerce platform and web logs should be monitored and regularly analyzed. Anti-virus software or plugins should be used on websites to help identify malicious code and businesses should ensure they are PCI DSS compliant.

To protect against brute force attacks, strong, unique passwords should be created, and multi-factor authentication should be implemented to help ensure stolen credentials cannot be used to gain access to the e-commerce platform.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.