All About Online Skimming or Digital Skimming Attacks

The rise of digital skimming attacks, web-based supply chain attacks, in recent years is stressing the e-commerce industry. E-commerce companies cannot ignore web-based supply chain attacks resulting in direct website breaches.

Our previous blog post, Client-Side battle against JavaScript attacks, and Why SRE’s should worry more about third-party javascript, shed light on the growing digital skimming menace.

Digital skimming is a semi-new threat, often called “Magecart,” consists of more than a dozen “official” different rival groups. These groups are targeting online retailers and eluding security researchers. Interestingly enough these groups don’t always play nice with each other. They compete with each other to steal “low hanging” credit card data and personally identifiable information (PII). And resell them on deep-web and dark-net markets. This client-side threat is the new face of modern e-commerce cybercrimes.

What is Skimming

Skimming Definition: Skimming or card skimming was originally used to describe the physical tampering of POS (point-of-sale) devices, ATMs and gas pumps by placing a hidden device inside them to steal credit card information.
The stolen credit card information is used to make online (card-not-present) purchases, cloned for in-store (card present) purchases or sold on different deep-web markets and darknet markets.
Victims of credit card skimming were often unaware of the theft until they noticed unauthorized charges on their account.

What is digital skimming or online card skimming

Digital skimming is a term describing the action of stealing credentials and sensitive payment information from website visitors. Digital skimmers use pre-placed malicious javascript code that sniffs user inputs from sensitive forms or creates a malicious iframe with fake payment forms to sniff credit card information.

The evolution of skimming

Later on, cybercriminals started to practice the same concept of card skimming – online. Instead of placing a physical device on the ATM, they (Read more...)