The organization — which is part of the British government — says that it found thousands of sites are vulnerable to an attack called “e-skimming” — the insertion of malicious code into the payment-processing pages of a website to obtain customers’ financial information. Hackers are reportedly targeting websites by exploiting a vulnerability in a specific ecommerce platform called Magento, which websites use to facilitate payments, as opposed to other top ecommerce software.
NCSC Findings: Cause for Concern in the UK and US
The National Cybersecurity Centre found 4,151 online shops that had been compromised by the end of September, with customers’ sensitive financial data being stolen in the process. The vast majority of these websites have been compromised due to a vulnerability in Magento — a popular ecommerce platform used by thousands of small business websites on both sides of the Atlantic — which is allowing hackers to do something called “e-skimming.” Magento is the ecommerce platform of choice for many large companies based in the US, such as Nike, Canon, and Burger King. This isn’t Magento’s first run-in with hackers, either — just last year, the FBI warned businesses using the platform about a three-year-old plugin vulnerability that was being used to steal credentials from shoppers. This week’s news, however, is particularly concerning considering its proximity to Black Friday and Cyber Monday. Both dates see an influx of UK and US users turning to the web to take advantage of deals.
What is e-skimming?
E-skimming is a process within which hackers gain access to the payment area of an online store through some sort of vulnerability. In this case, it’s the third-party ecommerce platform being utilized, Magento, rather than specific websites themselves. This type of fraud is often referred to as “Magecart,” named after the family of malware used to intercept payment details at the point of purchase. Once an exploitable entry point has been identified, the hackers will then inject a malicious code — sometimes called “skimming code” — that lets them modify things like the site’s Javascript files and subsequently lift payment credentials. The name Magecart isn’t a coincidence either — the malicious code was originally designed to specifically target companies using Magento, but now the term is in broader use for all attacks of this kind.
What can I do to protect myself from e-skimming?
If you own an online store…
If you’re a business owner with an online store (whether it makes use of Magento or not), then one important step to take immediately is to ensure that the ecommerce platform software you’re using is fully up to date. In this case specifically, this will mean you have the latest security patches in time for Black Friday and Cyber Monday. Regardless of the time of year, however, if you’re processing a high number of credit or debit card transactions, it’s vital you have a cybersecurity strategy in place that utilizes as much funding as you can possibly allocate to it.
If you’re thinking about creating one…
If you’re yet to set your store up or are thinking about moving from one ecommerce platform or another, it may be worth considering platforms like Shopify and BigCommerce because they don’t allow custom JavaScript to be injected into payment pages, which is a useful security measure. However, it must also be said that there are some hackers who are now using “agnostic” code that can be used on any various ecommerce platforms, as well as targeting websites directly, widgets, and other things like analytics providers.
If you’re a shopper…
If you’re a shopper, on the other hand, the best thing to do is use a credit card over a debit card if you can, considering the lower liability for fraud and the fact that getting money returned to a debit card isn’t the quickest process. If you are paying for something online, look at recent reviews of the website you want to buy from, and enter only the minimal amount of personal information required for a given purchase. Having a dedicated card for online transactions that’s very close to empty could also be helpful, as would a virtual credit card. You should only hand over payment details on websites with URLs that start with HTTPS (although this doesn’t mean every HTTPS website is safe, sites without this should be treated with extreme caution). Lastly, if you think you’ve been a victim of online fraud, report it to your bank immediately and cancel the relevant cards to avoid further fraudulent transactions.