Safe online shopping is more critical than ever after Amazon Australia’s Prime Day having just taken place and holiday shopping imminent with Black Friday and Cyber Monday around the corner. This makes it a timely moment for online retailers to ensure they are protecting their customers’ private data or credit card details from landing in the wrong hands, particularly as more shoppers than ever before will be avoiding crowds this year and opting to shop online.
According to AustCyber’s Australia’s Digital Trust Report 2020, revenue for the online shopping industry jumped to 21.8 per cent in March 2020 in year on year terms, signalling a huge uptake in e-commerce as we avoided shopping centres and relied on product being delivered to our homes.
As we enter the peak online shopping period, we can predict this uptake in online shopping will only continue to grow and it is crucial that consumers can shop securely online. But with an increase in online shopping, comes an increase in threat actors preying on this uptake, finding new ways to infiltrate online retailers’ systems.
Who’s at risk?
Web skimming, also known as digital skimming, is the process of stealing customer data, including credit card information, from compromised online stores. For the past several years, a number of criminals have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers.
In March this year, Malwarebytes identified a targeted web skimming cyberattack against household brand Tupperware and its associated websites, compromising the official Tupperware.com site – which averages close to one million monthly visits. Malicious code was hidden within an image file that activated a fraudulent payment form during the checkout process and collected customer payment data.
After being alerted to the scam, Tupperware was able to remove the malicious code, though being such a high profile brand with so many site visitors, many customers’ data had already been compromised. While big name retailers are often the prime target for skimming attacks, small online retailers that process their own payments are usually the most at risk.
According to data from Malwarebytes, web skimming increased by 26 percent in March this year over the previous month, as cybercriminals’ attention was drawn by the changing habits of online shoppers due to COVID-19.
So, what happens next?
Despite the prevalence of skimmer attacks, identifying this type of threat can be challenging. Unlike other kinds of cyber theft, there are often not any visible signs that a skimmer has been injected into a website.
Once web skimming occurs at the checkout, threat actors have access to credit card information, the victim’s name, address, email and often date of birth. This data is then lifted by cybercriminals who sell it on the dark web, for potential to be exposed to further cyberthreats and more data loss. Although banks are often able to reverse any fraudulent payments, it is not a process you want your trusted customers to have to experience.
Online retailers need to ensure the issue is remediated by removing the malicious skimmer code from the website. Working with IT and security partners, they can review logs to find the point of entry and reveal how long the criminals had access to the site, in order to ensure data is now protected and any theft is reported to the consumer and relevant law enforcement body.
It’s time to protect
While there is no one stop shop to preventing web skimming from occurring entirely, there are a number of measures retailers can put in place to minimise the risk.
- Outsource: A sure way to both reduce the stress of security risks and garner time back to refocus on your business’ bread and butter, is to outsource the handling of financial transactions to a larger, trusted third-party. Although more costly than handling internally, the potential costs from a cybersecurity breach far outweighs this and you will be able to ensure transactions are in safe hands.
- Access control: Tightening day-to-day security measures is key. Online retailers need to ensure any potential vulnerabilities are protected by applying patches with IT and security partners. Additionally, implementing stricter access control requirements into the back end of sites, including requiring two-factor authentication and updating passwords on a regular basis, will also help to protect your site.
- Legitimacy: A key way to detect an online scam is by carefully reviewing the copy for spelling and grammatical errors, as this is often a giveaway for a nasty threat actor. By ensuring your platform is free from errors, customers will be more likely to view the site as credible and legitimate and have peace of mind to shop safely.
Consumers as well should be wary when shopping and consider using trusted payment services where available. This shopping season proves to be different from anything we’ve experienced in the past, making it critical to pay extra attention when it comes to payment safety.
Christopher Boyd is lead malware intelligence analyst at Malwarebytes