Warning over boom in web skimming cyber crime targeting online stores

Malwarebytes claims to have blocked 65,000 web-skimming Magecart data theft attempts in July alone

Ecommerce companies have been warned of a summer surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems.

The warning comes despite the high profile that Magecart attacks have had following last year's British Airways data breach. That is set to cost the company £183 million in GDPR fines levied by the ICO.

Before that, Ticketmaster was turned over after its payment systems were cracked over a period of months. Indeed, tens of thousands of Magecart attacks have been successfully carried out since the first attack almost 20 years ago.

The warning comes from security firm Malwarebytes, which this week revealed that it has blocked 65,000 Magecart data theft attempts in July alone.

Malwarebytes has picked up a large number of 'spray and pray' attacks on Amazon S3 buckets

Magecart attacks target organisations' payments system by taking advantage of security flaws in ecommerce systems. The gangs - there are several, all believed located in Russia and the CIS - then inject new Javascript code onto those pages to exfiltrate payment and personal details when customers check out.

According to Malwarebytes, the majority of organisations targeted in web-skimming attempts in July were from the US (54 per cent) followed by Canada (16 per cent), Germany (seven per cent), the Netherlands (six per cent), France and the UK (five per cent) and Australia (three per cent).

Furthermore, in recent months, Malwarebytes has picked up a large number of 'spray and pray' attacks on Amazon S3 buckets, which are still on-going.

Web skimming has become big business for cyber criminals in recent years, involving numerous threat groups - from advanced actors to copycats - that try to steal sensitive data of customers.

It is becoming more difficult now to differentiate web-skimming groups by analysing code types alone

While skimmer code can help security experts to identify the different attack groups behind them, Malwarebytes warned it is becoming more difficult now to differentiate web-skimming groups by analysing code types alone, because several copycats are now re-using existing tools developed by other gangs.

Moreover, the attackers are frequently using various kind of obfuscation to hide their identities from security specialists. Obfuscation enables attackers to hide details about the servers under their control used to collect the stolen data in the first instance.

Malwarebytes usually advises customers to visit only larger online shopping sites to protect themselves from Magecart threats. However, the company also warned that visiting only larger portals is no guarantee for consumers that buying online is risk-free.

On Thursday, the Retail and Hospitality ISAC (RH-ISAC) and the PCI Security Standards Council also released a joint bulletin warning online store operators and e-commerce sites about the growing threat posed by web- skimming activity.

Carlos Kizzee, RH-ISAC's vice president of intelligence, said he has no figures currently on the financial impact of attacks on online merchants, but breaches like the one at BA highlight how severe it could be - especially with the radically larger fines being levied under GDPR.

Last month, security researches warned that the skimmer code by Magecart payment-system hackers has already infected more than 17,000 websites worldwide.