Site icon Merchant Fraud Journal

How Online Web Skimming Attacks Work

TBIT / Pixabay

Online web skimming attacks continue to increase. This kind of eCommerce fraud attack works by fraudsters recording the information customers put into fake online payment forms. Stolen data includes credit card details, personal identifying information like names and addresses, and potentially even highly sensitive information like social security and passport numbers.

This kind of data theft does not directly hurt merchants. However, that doesn’t mean they shouldn’t take it very seriously. If the media pinpoints a merchant’s domain as a conduit for a skimming attack, it often does immense damage to the brand’s reputation. Sellers of commoditized goods should be especially wary. Customers may choose to avoid your shop in favor of competitors if they perceive your security to be lax and your site unsafe.

And because the eCommerce ecosystem continues to exponentially grow around the world, fraudsters increasingly take advantage of vulnerabilities. Web skimming attacks continue to plague online stores at both the SMB and enterprise level. Yet despite the already large number of high profile fraud attacks, the trend continues. Fraudsters find new success every day.

Online web skimming attacks work in a three stage process.

Stage 1: Gain (Undetected) Access to Site User Information

Online web skimming attacks start with a fraudster planting a skimming code. These codes are usually a piece of javascript. They are short and look very innocent, often mimicking legitimate processes and operations developers use to create eCommerce websites.

The technical, back-end nature of skimming codes explains why top CNP fraud prevention solutions can’t detect this kind of attack. Merchants need to pay careful attention to see what tactics are in vogue and use that information to do more to protect their own assets.

In addition, skimming works because fraudsters are increasingly adept at shrouding their tactics in a veil of user-facing legitimacy. A skilled hacker will make it impossible for customers to detect. Merchants cannot rely on chatter about user experiences to alert them to a problem.

In general, fraudsters gain access to website information in two ways:

Stage 2: Collect Sensitive Data from Site Users

Once a fraudster gains access, they use it to steal personal data from site users. A variety of tactics exist to accomplish this. But two are very common because they give direct access to verified, accurate data:

Stage 3: Store the Stolen Data

Finally, fraudsters must store the data they steal. Nothing can be done by merchants at the stage of the process. However, there is at least one very important reason to conceptualize it: the information is commonly sent to a proxied domain.

The proxy domain setup is another way fraudsters hide their tracks and keep their online web skimming attacks hidden from merchants. It’s common for the domain used to mimic the legitimate site. This tactic played a role in a highly successful skimming attack on the site of British Airways that lasted three weeks and compromised 380,000 users.

The Best Way to Protect Against Online Web Skimming Attacks

Skimming attacks continue to succeed because merchants remain ill-equipped to prevent them. Unlike detecting native account takeover attacks against in-house assets, it’s tempting to have less urgency about user-facing damage. But it should not be. After the British Airways skimming attack, CEO Alex Cruz was forced to go on a mea culpa tour apologizing for the damage caused to customers.

To avoid that, merchants should do whatever they can to secure their API calls. In addition, they should simply pay attention to their systems. Fraudsters do all they can to remain in the shadows; the best way to stop their skimming attacks is to constantly shine light in all of the places they hide.

Exit mobile version