E-commerce merchants face digital skimmer threat
In the same way a card skimmer steals credentials at an ATM, gas pump or point-of-sale terminal, the Magecart malware hides beneath the surface of a website with a digital skimmer to obtain card and personal information.
It's a significant problem that has left more than 800 e-commerce sites infiltrated with a malignant code — including the Ticketmaster breach disclosed two months ago — according to research by RiskIQ.
Magecart has transitioned from hacking individual websites to burying its malicious code within the scripts of third-party services that run on e-commerce sites. In effect, RiskIQ says, a single attack on a site can affect all of that provider's clients, impacting hundreds or even thousands of websites.
The malware is a wake-up call to online merchants that may have come to accept that a certain amount of fraud will occur.
“Merchants have become almost numb to cyberfraud, but they cannot afford to ignore it," Monica Eaton-Cardone, co-founder and chief operating officer of disupute mitigation and prevention firm Chargebacks911, said in a press release warning of the dangers of Magecart.
"Cybercriminals are always finding new vulnerabilities to exploit,” Eaton-Cardone added. “E-commerce businesses need to stay abreast of new threats and continue to fight fraud on multiple fronts.”
Payment Card Industry security standards compliance is a strong baseline, but it doesn't guarantee anything when it comes to halting fraud attempts, Eaton-Cardone said. And the focus can't simply be on internal servers, she added.
Various steps are essential to mitigate the risks and potential losses from the Magecart data-skimming threat.
First, merchants should deploy encryption to their data because it is a technology that has advanced to the application level, not just as a safety tool for stored data.
A stronger connection tracking network and a firewall rule base analysis can help merchants identify inbound connections that may have otherwise escaped notice on the network. Similarly, merchants should run scans on external-facing hosts and cloud environments to identify services that are "listening" for inbound connections.
As soon as a breach is made public, Eaton-Cardone said her company urges merchants to scan all code for cybercriminals' domains and IP addresses, as any scripts with the webfotce.me domain indicates a Magecart breach.
Finally, any rules or procedures in place that can limit human error or system glitches can help a company stay safe.
It's vital to implement solutions that address both intentional and accidental data breaches as well as chargebacks and other financial hits, Eaton-Cardone said.
"Merchants need to view cyberfraud as an ongoing battle with many points of attack," she added. "You can't sit back and play defense. You have to actively identify and address vulnerabilities, boost fortifications and take the fight outside your walls."